The web fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.

An attacker can social-engineer a user (or any automation that uses web fetch) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.

The Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.

This advisory is prepared for the next npm release. Once openclaw@2026.2.15 is published, publish this advisory without further edits.

Thanks @xuemian168 for reporting.