AI Sec Watch

OpenClaw has a vulnerability where malicious plugins or hooks can execute arbitrary code during installation. An attacker can create a `.npmrc` file (npm's configuration file) in a malicious plugin or hook directory that redirects the git executable to a malicious program, which gets executed when OpenClaw runs `npm install` during the installation phase.

OpenClaw has a security inconsistency where the HTTP endpoint `/v1/models` (which serves OpenAI-compatible requests) accepts bearer authentication but doesn't check operator scopes (permissions that control what actions a user can perform), while the WebSocket RPC path correctly requires the `operator.read` scope. This means someone with only `operator.approvals` permission can bypass the scope requirement and view model metadata through the HTTP route, even though they would be rejected over WebSocket.

OpenClaw has a path traversal vulnerability (CWE-22, a type of attack where an attacker uses special characters like ../ to access files outside their intended directory) that allows sandboxed agents to read files from other agents' workspaces. The vulnerability exists because the sandbox validation function only checks certain parameter keys (media, path, filePath) but misses mediaUrl and fileUrl, which are actually used by messaging extensions. Additionally, a separate function fails to pass the sandbox root restrictions to plugins, allowing them to read the entire ~/.openclaw/ directory instead of just an individual agent's folder.

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project where user API tokens are stored in process-wide environment variables without proper isolation. Because Streamlit (a web framework for Python applications) runs multiple users in a single process, credentials entered by one user can be accessed by other users, allowing attackers to steal sensitive tokens like GitHub Personal Access Tokens or LLM API keys.

OpenAI patched a vulnerability in ChatGPT that allowed attackers to secretly extract sensitive user data, such as conversation messages and uploaded files, by exploiting a hidden DNS-based communication path (a covert channel using the Domain Name System to send data) in the Linux runtime that the AI uses for code execution. The flaw bypassed ChatGPT's built-in safety guardrails (protections designed to prevent unauthorized data sharing) and could be triggered through malicious prompts or embedded in custom GPTs without triggering any user warnings.

CrewAI has a vulnerability where it fails to properly verify that Docker (a containerization tool that isolates applications) is still running during execution. When Docker stops, the software falls back to a less secure sandbox setting that can be exploited for RCE (remote code execution, where an attacker runs commands on a system they don't control).

CrewAI contains a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making unwanted requests to other systems) that allows attackers to access content from internal and cloud services. The vulnerability exists because the RAG search tools (a feature that retrieves external documents to help answer questions) do not properly validate URLs that users provide at runtime.

CrewAI has a vulnerability where its JSON loader tool reads files without checking file paths, allowing attackers to access any file on the server. This is called arbitrary local file read, and it happens because the tool doesn't validate (check) which files users are allowed to access.

CrewAI's CodeInterpreter tool has a security flaw where it falls back to SandboxPython when Docker (a containerization system for running code safely) is unavailable, which can allow RCE (remote code execution, where an attacker runs commands on a system they don't own) through arbitrary C function calling.