OpenClaw Path Traversal via Malicious SKILL.md
A vulnerability in OpenClaw's skill loader allowed a malicious SKILL.md to reference files outside the workspace directory via path traversal sequences, potentially exposing sensitive files to the agent.
Description
Security researcher @svpino discovered that OpenClaw's skill file loader did not properly sanitize file paths referenced in SKILL.md instructions. A malicious skill could instruct the agent to read files using relative paths like `../../.ssh/id_rsa`, bypassing the intended workspace sandboxing. The vulnerability was disclosed responsibly to the OpenClaw team, who shipped a patch (v2025.12.12) within 4 days. The fix adds strict path validation ensuring all file operations stay within the configured workspace directory.
Impact
Any user who installed a malicious skill from an untrusted source could have had files outside their workspace read by the agent. No confirmed exploitation in the wild, but the attack surface was significant given the growing ClawHub skill marketplace.
Attack Vectors
- Malicious SKILL.md with path traversal sequences (../../)
- Social engineering — distributing backdoored skills as useful tools
Mitigation
- Update OpenClaw to v2025.12.12 or later
- Only install skills from verified ClawHub publishers or audited sources
- Review SKILL.md content before installation
- Use the Skill Scanner tool to audit skills before running