AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-r6h2-5gqq-v5v6: OpenClaw: Reject symlinks in local skill packaging script

mediumvulnerability

security

Source: GitHub Advisory DatabaseFebruary 20, 2026CVE-2026-27485

Summary

OpenClaw's skill packaging script had a vulnerability where it followed symlinks (shortcuts to files stored elsewhere on a computer) while building `.skill` archives, potentially including unintended files from outside the skill directory. This issue only affects local skill authors during packaging and has low severity since it cannot be triggered remotely through the normal OpenClaw system.

Solution / Mitigation

Reject symlinks during skill packaging. Add regression tests for symlink file and symlink directory cases. Update packaging guidance to document the symlink restriction. The fix is available in commit c275932aa4230fb7a8212fe1b9d2a18424874b3f and ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0, with the patched version planned for release as openclaw@2026.2.18.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

PII Leakage

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedPlugin

Affected Vendors

Affected Packages

openclaw@<= 2026.2.18 (fixed: 2026.2.19)

Related Issues

medium

CVE-2026-2589: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure

Similar attackNVD/CVE Database

high

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

First tracked: February 20, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 75%