OpenClaw Directory Traversal Vulnerability in Download Skill Installation

A directory traversal vulnerability has been identified in OpenClaw, a personal AI assistant, in versions prior to 2026.2.15. The issue arises in the 'download' skill installation process, where 'targetDir' values from the skill's frontmatter can be improperly validated, allowing files to be written outside the designated per-skill tools directory. This vulnerability is present in the admin-only 'skills.install' workflow, where it could lead to unauthorized file writes outside the intended installation sandbox.

Impact

Exploitation of this vulnerability could result in arbitrary file writes outside the designated skill tools directory, potentially leading to unauthorized access or modification of files in the user's environment.

Reproduction

To reproduce this vulnerability, install a skill that includes a 'download' directive with a 'targetDir' value that resolves outside the default tools directory. This can be done by uploading a zip or tar.bz2 file that contains a symlink or by using a zip file that has been crafted to exploit the traversal vulnerability. Once the skill is installed, the files will be written to the specified targetDir, bypassing the normal restrictions.

Remediation

Users can update to OpenClaw version 2026.2.15 or later, which includes a fix that restricts the download 'targetDir' to the per-skill tools directory, preventing traversal vulnerabilities.