Scanleale

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.1.8 through 2026.2.13 **Description** The software contains a command injection issue in the `scripts/update-clawtributors.ts` script. This affects contributors or maintainers, and CI systems, who execute `bun scripts/update-clawtributors.ts` on a source checkout containing a malicious commit author email. The script extracts a GitHub login from `git log` author metadata and uses it in a shell command via `execSync`. A crafted commit record can inject shell metacharacters, leading to arbitrary command execution. Normal CLI usage, such as `npm i -g openclaw`, is not affected as the script is not part of the shipped CLI and is not executed during routine operation. **Recommendations** Versions 2026.1.8 through 2026.2.13 should be updated to version 2026.2.14 or later. As a temporary workaround, avoid running the `bun scripts/update-clawtributors.ts` script on source checkouts with untrusted commit history.