Evanotero

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.1.30 **Description** OpenClaw is a personal AI assistant. The `isValidMedia()` function in src/media/parse.ts allows arbitrary file paths, including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA: followed by a file path, potentially exfiltrating sensitive data to a user or channel. The issue involves the use of the `isValidMedia()` function and the handling of file paths. **Recommendations** Update to version 2026.1.30 or later.