The shell environment fallback path could invoke an attacker-controlled shell when SHELL was inherited from an untrusted host environment. In affected builds, shell-env loading used $SHELL -l -c 'env -0' without validating that SHELL points to a trusted executable.

In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates SHELL as an absolute normalized executable, prefers /etc/shells, applies trusted-prefix fallback checks, and falls back safely to /bin/sh when validation fails. The dangerous env-var policy now also blocks SHELL overrides.

The advisory pre-sets patched versions to the planned next release (2026.2.22). After that npm release is published, maintainers can publish this advisory without further version-field edits.

OpenClaw thanks @athuljayaram for reporting.