Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as NODE OPTIONS, LD PRELOAD, or BASH ENV to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.

The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.

OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.

Fix commits:

Fixed in OpenClaw 2026.4.20.