OpenClaw 2026.4.12, released April 13, ships three security patches alongside its feature work. All three come from @pgondhi987 and address real execution-boundary issues — not theoretical edge cases. If you run OpenClaw in any multi-user, multi-agent, or internet-exposed configuration, these are worth understanding.
Patch 1: Busybox Removed from Safe Exec Bins
PR #65713
OpenClaw's exec approval system maintains a list of "safe" binaries that can run without triggering the approval gate. busybox (and its cousin toybox) were on that list — a mistake, because both are multi-call binaries that expose dozens of commands behind a single executable name.
Calling busybox sh or busybox awk is functionally equivalent to calling sh or awk directly. Including it on the safe list meant the entire POSIX toolbox was reachable through a single whitelisted binary name — defeating the purpose of the allowlist.
Fix: busybox and toybox are now blocked outright. If you have automation that relies on explicit busybox <cmd> calls, migrate to the native binary (sh, cat, sed, etc.) — those are evaluated individually against the policy.
Patch 2: Empty Approver List No Longer Grants Authorization
PR #65714
OpenClaw's approval system checks whether the requesting entity is in the configured approver list before granting authorization. There was a logic inversion: if the approver list was empty (typically through misconfiguration or an admin forgetting to set it), the check evaluated to "no one is unauthorized" and passed.
This is the kind of fail-open bug that's easy to miss in testing because a properly configured system never hits the empty-list path. But in fresh installs, misconfigured deployments, or after a config reset, the approver list can legitimately be empty.
Fix: empty approver list now explicitly denies approval authorization. There's no ambiguous state — if no approvers are configured, nothing is approved until you configure them.
Patch 3: Shell-Wrapper Injection and env-argv Assignment Blocked
PR #65717
This is the most technically interesting of the three. OpenClaw detects shell-wrapper invocations to prevent commands from being routed through interpreters that bypass exec policy. The previous detection was narrow — it caught obvious cases like bash -c "..." but missed subtler patterns.
Two specific attack surfaces are closed here:
Broader shell-wrapper detection — The detection heuristics now cover a wider range of shell-like invocation patterns, including indirect routes through wrapper scripts and forwarding binaries.
env-argv assignment injection — The
envcommand supports a-separator andVAR=valuepositional arguments that let you set environment variables inline before executing a command:env VAR=value program. This can be used to inject variables that modify how the target program behaves — including some that affect interpreter selection or security-relevant paths. This injection vector is now blocked.
Impact: These patches matter most for OpenClaw instances that process external input — webhooks, public-facing chat interfaces, or any surface where untrusted content could influence what gets executed.
Recommended Action
Update to 2026.4.12 immediately if your instance:
- Runs on a network-accessible host
- Processes webhooks, Discord messages, or any external input
- Has
tools.exec.allowconfigured (even if it's locked down) - Runs in a multi-user or shared environment
openclaw update
Verify your exec policy after updating:
openclaw exec-policy show
The new exec-policy command (#64050, also in this release) makes it easy to review your current policy and sync it against your config.
Credit
All three patches were contributed by @pgondhi987. Security contributions like these keep the project hardened — if you find issues, the OpenClaw team accepts responsible disclosure through the standard GitHub security advisory flow.