SECURITY • OpenClaw quick fix

OpenClaw before 2026.4.22? Audit sandbox and MCP exposure.

A fresh X security cluster is useful because it points to official records, not just chatter. NVD and GitHub advisories list four OpenClaw issues fixed in 2026.4.22: OpenShell filesystem write/read symlink-race escapes, shell expansion hidden in unquoted heredocs, and spoofable loopback MCP owner context. If an older install was exposed to shared users, tunnels, reverse proxies, or untrusted prompts/plugins, treat this as an upgrade-and-exposure review before trusting agent work again.

In simple words: Make a safe copy if the step could change your setup, try the smallest check, then confirm OpenClaw is back to normal before doing more. The source link and commands stay below for people who want the technical detail.

Checklist

Find every laptop, VPS, container, and shared OpenClaw host and check whether it is older than 2026.4.22; the GitHub advisories list `<= 2026.4.21` as vulnerable.

Fast version, backup, and audit note

openclaw --version
openclaw backup create --verify
# Upgrade anything <= 2026.4.21 before resuming risky OpenShell/MCP work.

Snapshot first with a verified backup, then upgrade affected installs before running more OpenShell, MCP, plugin, or unattended agent work.

Review whether OpenShell sandbox mounts, filesystem bridge operations, exec allowlisted commands, or loopback MCP routes were reachable from untrusted prompts, users, plugins, tunnels, or reverse proxies.

Exposure questions to answer

- Was OpenShell or the filesystem bridge reachable from untrusted prompts/plugins/users?
- Did any workflow allow shell execution with heredocs or generated commands?
- Were loopback MCP routes reachable from anything except the trusted local operator context?
- Do logs, backups, or git status show unexpected file reads/writes, config changes, or agent actions?

If sandbox or MCP surfaces were exposed, preserve logs, compare workspace/config state against a known-good backup, and rotate secrets that agents or escaped filesystem reads could have reached.

After upgrading, run a narrow smoke test for the shell/filesystem/MCP paths your agents actually use, then write down the version, backup label, and audit decision.

Success looks like

• No shared or network-reachable OpenClaw install remains at or below 2026.4.21.

• You know whether OpenShell filesystem, exec allowlist, or loopback MCP surfaces were exposed during the vulnerable window.

• Any suspicious exposure has an incident note, preserved logs, state comparison, and secret-rotation decision instead of being treated as a normal config cleanup.

Source: NVD + GitHub advisories · link

Before the next risky OpenClaw change

Turn this quick fix into a repeatable rollback path.

If this touches tokens, providers, upgrades, plugins, or shared-agent settings, do the free check first — then use a verified snapshot and one restore drill before trusting unattended work again.

What OpenClaw Safety Net adds

pre-change snapshot checklist
restore-drill steps before the real incident
gateway/config smoke test before agents run again

Use the free fix when: you only need to unblock this one low-risk change and can write the backup label, smoke result, and rollback trigger in your own notes.

Buy when: this same risk will happen again, another person needs to repeat the fix, or you want a purchase-to-first-GREEN receipt, restore drill, and written rollback record before agents run unattended.

Do not buy yet if: you have not tried the free checklist, you need live support, or you are not ready to make a verified backup before changing a working setup.

Use OpenClaw Safety Net before the risky change →

Free fix first; buy the playbook only when the rollback path needs a repeatable first-GREEN proof record.

Have a high‑value nugget? Submit it.