OpenClaw Command Injection Vulnerability in Keychain Credential Management on macOS

A command injection vulnerability has been identified in OpenClaw, a personal AI assistant, specifically in versions 2026.2.13 and earlier on macOS. The issue arises in the Claude CLI keychain credential refresh process, which improperly constructs a shell command to update Keychain with OAuth tokens—user-controlled data. This flaw allows for OS command injection, as the tokens could be manipulated to execute arbitrary commands via shell metacharacters. The vulnerability has been patched in version 2026.2.14.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the user's behalf, bypassing normal shell argument handling and potentially causing unintended actions or data exposure.

Reproduction

The vulnerability can be reproduced by writing a Claude CLI keychain credential with a malicious OAuth token that includes shell metacharacters. This can be done by using the 'security' command-line tool to add a generic password, injecting a payload that exploits the command construction process. The injected command could be a simple command substitution or backtick expansion, which the shell interprets before passing the arguments to the 'security' tool, effectively executing the command as the user.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been fixed.