SECURITY • OpenClaw quick fix

OpenClaw before 2026.5.18? Audit shell-wrapper approvals.

CVE-2026-53822 is a sharp reminder that command approval is only useful when the command shape checked is the command shape that runs. GitHub's advisory says affected OpenClaw versions could approve one shell-wrapper argv shape and rebuild another for execution, bypassing the allowlist in configurations where that path was enabled and reachable. Treat this as a narrow but high-leverage upgrade/audit: patch to 2026.5.18+, require explicit approval for wrapper-heavy commands until patched, and prove your exec policy with a small negative test before unattended agents resume host execution.

In simple words: Make a safe copy if the step could change your setup, try the smallest check, then confirm OpenClaw is back to normal before doing more. The source link and commands stay below for people who want the technical detail.

Checklist

Check every laptop, VPS, container, and shared agent host that can run OpenClaw host exec; anything before `2026.5.18` needs an upgrade or compensating stop rule.

Fast host-exec audit

openclaw --version
openclaw approvals get || true
openclaw exec-policy show || true
# If version is before 2026.5.18, patch before trusting shell-wrapper allowlists.

Before changing exec policy, create a verified backup or rollback note and record which channels, plugins, or agents can reach host command execution.

Patch OpenClaw to `2026.5.18` or later before relying on shell-wrapper or allowlisted host-exec paths for unattended work.

Until the host is patched, require explicit approval for shell wrappers and avoid durable allowlist entries for wrapper-heavy command shapes.

Run `openclaw approvals get` or `openclaw exec-policy show`, then confirm the effective policy is the stricter path you intended, not a stale local approvals file.

Perform one negative test: a wrapper/eval-style command that should not be auto-allowed must request approval or be denied before you re-enable recurring agents.

Approval-boundary receipt

- Host / workspace audited:
- OpenClaw version before audit:
- Patched to 2026.5.18+?
- Channels/plugins/agents that can reach host exec:
- Wrapper-heavy allowlist entries reviewed:
- Negative test command shape:
- Result: prompted / denied / unexpectedly allowed:
- Rollback or pause decision:

Success looks like

• No OpenClaw host that can execute approved shell-wrapper commands remains below 2026.5.18 without a written pause/approval-only rule.

• Wrapper-heavy commands require explicit approval until the patch is installed and the effective exec policy is checked.

• A negative test proves command approval is still acting as a boundary before unattended agents resume host execution.

Source: GitHub advisory GHSA-2j8v-hwgc-x698 + OpenClaw exec approvals docs · link

Before the next risky OpenClaw change

Turn this quick fix into a repeatable rollback path.

If this touches tokens, providers, upgrades, plugins, or shared-agent settings, do the free check first — then use a verified snapshot and one restore drill before trusting unattended work again.

What OpenClaw Safety Net adds

pre-upgrade snapshot and rollback note before changing host-exec policy
approval-boundary worksheet for shell-wrapper and inline-eval command shapes
negative-test receipt so command allowlists are proven before recurring agents resume

Use the free fix when: you only need to unblock this one low-risk change and can write the backup label, smoke result, and rollback trigger in your own notes.

Buy when: this same risk will happen again, another person needs to repeat the fix, or you want a purchase-to-first-GREEN receipt, restore drill, and written rollback record before agents run unattended.

Do not buy yet if: you have not tried the free checklist, you need live support, or you are not ready to make a verified backup before changing a working setup.

Free proof → repeatable proof

Use the quick fix once. Buy only when the same evidence needs to be repeatable before future OpenClaw changes.

Free proof: One host-exec policy check plus a negative test for a wrapper-heavy command shape.

Repeatable proof: Safety Net turns that into a reusable security-change drill with snapshot, stop rule, rollback trigger, and resume decision.

Free proof: A written list of channels, plugins, and agents that can reach host command execution.

Repeatable proof: Safety Net keeps the exposure map beside your upgrade proof so the next OpenClaw CVE does not start from memory and guesswork.

Use OpenClaw Safety Net before the risky change →

Free fix first; buy the playbook only when the rollback path needs a repeatable first-GREEN proof record.

Have a high‑value nugget? Submit it.