Shangzhi-Xu

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** OpenClaw versions before 2026.2.14 do not properly validate TAR archive entry paths during extraction. A crafted archive can use path traversal sequences, such as `../../...`, to write files outside the intended destination directory, a condition known as Zip Slip. The affected code path is the `extractArchive()` function in `src/infra/archive.ts`, which used `tar.x({ cwd: destDir })` without rejecting traversal and absolute entry paths. This issue affects installation flows, including `openclaw plugins install` and `openclaw hooks install`. An attacker who successfully exploits this issue can write files outside the extraction directory with the permissions of the OpenClaw process, potentially leading to configuration tampering and code execution. **Recommendations** Upgrade to OpenClaw version 2026.2.14 or later. Avoid installing untrusted plugin or hook archives.