OpenClaw Command Injection Vulnerability in Windows Scheduled Task Script Generation
Vulnerability
A command injection vulnerability has been identified in OpenClaw versions prior to 2026.2.18. The issue arises in the Windows Scheduled Task script generation process, where environment variables are written unquoted to 'gateway.cmd'. This allows shell metacharacters to escape the assignment context. Attackers can inject arbitrary commands through environment variables provided in the configuration, exploiting the vulnerability when the scheduled task script is generated and executed.
Impact
Exploitation of this vulnerability allows for command injection via unescaped environment variable assignments, which can be used to execute arbitrary commands on the system.
Reproduction
To reproduce this vulnerability, create a scheduled task that includes environment variables with shell metacharacters, such as '&', '|', '^', '%', or '!'. When the task is executed, the injected commands will be executed in the command context, demonstrating the command injection vulnerability.
Remediation
Users can update to OpenClaw version 2026.2.19 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.