Aether-Ai-Agent

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.18 **Description** The software handles Discord moderation actions (timeout, kick, ban) using information from request parameters instead of a secure source. This allows a user without administrative privileges to potentially perform moderation actions by manipulating sender identity fields. The issue occurs when Discord moderation actions are enabled and the bot possesses the necessary permissions within a Discord server. The vulnerable component relies on request parameters to determine sender identity in tool-driven flows, rather than a trusted runtime context. The vulnerable parameters are related to sender identity within the request. **Recommendations** Update to version 2026.2.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.2.17 and earlier **Description** OpenClaw, a personal AI assistant, contains an issue in the `skills/skill-creator/scripts/package skill.py` script. This script previously followed symbolic links when creating `.skill` archives. If an author runs this script on a crafted skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. This can lead to the potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact. Exploitation requires local execution of the packaging script on attacker-controlled skill contents. The vulnerable component is the `package skill.py` script. **Recommendations** Versions prior to 2026.2.18 are affected. Reject symlinks during skill packaging. Add regression tests for symlink file and symlink directory cases. Update packaging guidance to document the symlink restriction.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, potentially enabling container escape or host data access. The affected versions lack restrictions on dangerous sandbox Docker settings and runtime enforcement during the construction of `docker create` arguments. Config-schema validation is absent for `network=host`, `seccompProfile=unconfined`, and `apparmorProfile=unconfined`. **Recommendations** Do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths. Keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`. Do not use `unconfined` for seccomp/AppArmor profiles.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** OpenClaw is a personal AI assistant. In shared-agent deployments, prior to version 2026.2.15, session tools (`sessions list`, `sessions history`, `sessions send`) permitted broader session targeting than intended by some operators. This is a configuration and visibility-scoping issue in multi-user environments where peers are not equally trusted, potentially exposing transcript content across peer sessions. In Telegram webhook mode, monitor startup did not fall back to per-account `webhookSecret` when only the account-level secret was configured. **Recommendations** Update OpenClaw to version 2026.2.15 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** OpenClaw is a personal AI assistant. The CLI process cleanup mechanism used system-wide process enumeration and pattern matching to terminate processes without verifying ownership by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the specified pattern. The CLI runner cleanup helpers could terminate processes matched by command-line patterns without validating process ownership. **Recommendations** Update to version 2026.2.14 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** The application logs Telegram bot tokens without redaction when they appear in error messages or stack traces, such as in request URLs including `https://api.telegram.org/bot<token>/...`. This can lead to the leakage of the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and gain full Bot API access. **Recommendations** Upgrade to version 2026.2.15 or later. Rotate the Telegram bot token if it may have been exposed.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions 2026.2.13 and below **Description** The OpenClaw application, a personal AI assistant, is susceptible to an OS command injection issue on macOS. The Claude CLI keychain credential refresh process constructs a shell command using `security add-generic-password -w ...` to write an updated JSON blob to the Keychain. Because OAuth tokens, which are user-controlled data, are used in this process, an attacker could potentially inject arbitrary OS commands. The fix involves using `execFileSync("security", argv)` to avoid shell invocation and passing the keychain payload as a literal argument. **Recommendations** Versions 2026.2.13 and below should be updated to version 2026.2.14 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** OpenClaw embedded the current working directory (workspace path) into the agent system prompt without proper sanitization. An attacker could potentially exploit this by creating a directory with control or format characters, such as newlines or Unicode bidi/zero-width markers. These characters could disrupt the prompt structure and allow the attacker to inject malicious instructions. This prompt injection could alter the agent's behavior, potentially leading to unintended tool use or the disclosure of sensitive information. The vulnerable component is the process of embedding the workspace path into the Large Language Model (LLM) prompt. **Recommendations** Update OpenClaw to version 2026.2.15 or later.