OpenClaw macOS Desktop Client Deep Link Confirmation Vulnerability Leading to Arbitrary Command Execution

A vulnerability exists in the OpenClaw macOS desktop client, specifically in versions 2026.2.6 prior to 2026.2.14. The issue arises within the 'openclaw://agent' deep link functionality, which, without a valid unattended key, only displays the first 240 characters of a message in the confirmation dialog. However, the full message is executed after the user clicks 'Run'. This behavior creates an opportunity for attackers to manipulate the message by adding whitespace, pushing malicious payloads beyond the visible preview, and increasing the likelihood of user approval for a different message than what is actually executed. When the deep link is activated, the agent may perform actions leading to arbitrary command execution, depending on the user's tool approvals and allowlists. This vulnerability is mediated by social engineering, as the confirmation prompt can be made to misrepresent the executed message.

Impact

Exploitation of this vulnerability could result in arbitrary command execution by the OpenClaw agent, based on the user's configured tool approvals and allowlists.

Reproduction

To reproduce this vulnerability, send an 'openclaw://agent' deep link without an unattended key, ensuring the message is padded with whitespace to obscure the full content. When the user clicks 'Run', the agent will execute the hidden payload, potentially leading to unauthorized command execution.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability is fixed. Additionally, it is recommended to use unattended deep links only with a valid key for trusted personal automations.