Security Alert: OpenClaw 2026.2.17 Patches Credential-Theft Vulnerability (OC-09)

OpenClaw 2026.2.17 includes a critical security fix that all users should be aware of: OC-09, a credential-theft vulnerability via environment-variable injection in the exec tool.

What Was the Vulnerability?

The exec tool—which allows agents to run shell commands—was vulnerable to environment variable injection attacks. A malicious prompt or untrusted input could craft commands that exploited how environment variables are expanded, potentially leaking sensitive credentials stored in the agent's environment.

This is particularly concerning because OpenClaw agents often have access to:

• API keys for providers (OpenAI, Anthropic, etc.)
• Authentication tokens for services (GitHub, Slack, Discord)
• Database credentials
• Cloud provider secrets

Who Was Affected?

Any OpenClaw deployment where:

1. The exec tool was enabled (default in most configurations)
2. Environment variables contained sensitive credentials
3. The agent processed untrusted input (group chats, public-facing bots, etc.)

The risk was highest for agents exposed to external users who could craft malicious inputs designed to exfiltrate credentials.

How It Was Fixed

The fix (credited to @aether-ai-agent) adds input sanitization and environment isolation to the exec tool pipeline. Specifically:

• Environment variable references in command strings are now properly escaped
• Untrusted input is sanitized before shell expansion
• The exec environment is isolated from sensitive parent process variables

This closes the injection vector while maintaining the tool's legitimate functionality.

What You Should Do

1. Update immediately

openclaw update

2. Rotate any potentially exposed credentials

If you've been running a public-facing OpenClaw agent with exec enabled, consider rotating:

• API keys
• Bot tokens
• Any secrets stored in environment variables

3. Review your exec configuration

Consider whether your agent truly needs shell access. If not, you can restrict it:

agents:
  defaults:
    tools:
      exec:
        enabled: false

Or use allowlists to restrict which commands can run.

The Broader Lesson

This vulnerability highlights an important principle for AI agent security: treat LLM outputs as untrusted input. Even if your agent is "helpful," adversarial prompts can manipulate it into taking actions you didn't intend.

The OpenClaw team has been proactively auditing for these attack vectors. The 2026.2.17 release also includes fixes for:

• Path traversal in $include resolution
• Unicode injection in workspace paths
• Various sandbox escape vectors

References

• OpenClaw v2026.2.17 Release Notes
• Issue #18048 (fix commit)

Security fixes like this are why keeping OpenClaw updated matters. Run openclaw update and stay safe.