OpenClaw, an npm package for handling host executions in Node.js environments, ships a medium-severity vulnerability in versions up to 2026.3.28. The flaw lets host environment overrides bypass critical controls for proxies, TLS verification, Docker configurations, and Git TLS settings. Attackers or misconfigurations could exploit this to leak data or fetch insecure resources.
This issue surfaced in shipped version 2026.3.28. When OpenClaw executes host commands, it fails to propagate essential environment variables like http_proxy, https_proxy, no_proxy, NODE_TLS_REJECT_UNAUTHORIZED, Docker-specific vars such as DOCKER_HOST or DOCKER_TLS_VERIFY, and Git TLS flags like GIT_SSL_NO_VERIFY. Maintainers confirmed the problem as real and merged fix commit 4d912e04519b4bd53b248437c53748cdebce9a41 on March 31, 2026, at 21:25:36+09:00. The patch landed in version 2026.3.31, but triage remains open.
Vulnerability Breakdown
OpenClaw likely serves devops or CI/CD workflows, executing shell commands from Node.js with host privileges. In secured setups—think corporate proxies or air-gapped systems—these env vars enforce compliance. Proxy vars route traffic through approved gateways, blocking direct internet access. TLS vars prevent man-in-the-middle attacks on HTTPS endpoints. Docker vars ensure authenticated, verified image pulls. Git TLS stops cloning from tampered repos.
Without propagation, subprocesses ignore these. A malicious script run via OpenClaw could:
- Bypass proxies to phone home to attacker servers.
- Ignore TLS errors, connecting to fake domains.
- Pull Docker images over unencrypted channels or from rogue registries.
- Clone Git repos without certificate checks, injecting malware.
Normalized severity sits at medium because it demands code execution context—already risky in npm deps—but amplifies supply chain threats. No remote code execution; it’s a config bypass. Reported by @AntAISecurityLab, maintainers acted fast, crediting the finder publicly.
Why This Matters
Npm hosts over 2 million packages; devs pull in thousands indirectly. A single flawed exec wrapper like OpenClaw cascades risks across pipelines. Consider GitHub Actions or Jenkins: jobs fetch deps, build Docker images, clone repos. If OpenClaw runs there, one vuln evades org-wide hardening.
Real-world context: Proxies catch 80% of outbound threats per SANS data. TLS pinning blocks 40% of MITM in enterprise telemetry. Docker mispulls fueled 2021 Codecov breach; Git bypasses aided SolarWinds. This flaw reopens those doors. Skeptically, medium rating undersells it for proxy-heavy envs—update or you’re exposed.
Broader npm ecosystem patterns worry more. Versioning like 2026.3.xx suggests a niche project, possibly internal or experimental, yet published publicly. Shipped vulns erode trust; 70% of breaches trace to unpatched deps per Verizon DBIR 2025. If you’re on <=2026.3.28, assume compromise potential in untrusted inputs.
Fix and Recommendations
Upgrade immediately to >=2026.3.31, the first stable tag with the fix. Verify via npm ls openclaw or npm audit. The commit adds env var passthrough explicitly:
git cherry-pick 4d912e04519b4bd53b248437c53748cdebce9a41Post-fix, audit your OpenClaw usage. Scan for dynamic exec calls. Prefer containerized exec with seccomp profiles over host runs. Test proxy/TLS passthrough:
http_proxy=http://localhost:8080 npm run test-openclawLock deps with package-lock.json and use tools like Dependabot or Socket.dev for ongoing scans. If pinned to vulnerable range, fork and patch. Watch OpenClaw repo—triage open means potential regressions.
Bottom line: Swift maintainer response mitigates damage, but don’t sleep on npm hygiene. One bypassed proxy equals one leak vector. Check your stack now.
