openclaw versions <= 2026.3.12 accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.

The vulnerable path was the remote attachment staging flow in src/auto-reply/reply/stage-sandbox-media.ts. When ctx.MediaRemoteHost was set, OpenClaw staged the attachment by spawning /usr/bin/scp against <remoteHost>:<remotePath>. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.

This issue is in scope under OpenClaw's trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.

openclaw@2026.3.13 validates the SCP remote path before spawning scp. Current code calls normalizeScpRemotePath(...) and rejects paths containing shell metacharacters instead of passing them through to the remote shell.

Regression coverage exists in src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts (rejects remote attachment filenames with shell metacharacters before spawning scp).

Thanks @lintsinghua for reporting.