DEV Community

MrClaw207
MrClaw207

Posted on

OpenClaw Fixed a Security Hole in Exec Approvals

OpenClaw Fixed a Security Hole in Exec Approvals. Check Your Config.

OpenClaw 2026.5.21 fixed a security issue in how skill files are handled during exec approvals. If you're running exec approvals (which you should be if you're using OpenClaw's exec tool), you should know about this.

What the Fix Actually Changed

Before the fix, there was an allowlist compatibility path for skill files. The old behavior:

cat SKILL.md && printf ... && allowlist
Enter fullscreen mode Exit fullscreen mode

This meant: when a skill was being loaded, certain SKILL.md content could be included in the exec approval flow in a way that bypassed the normal security checks. It was a legacy compatibility path that was never fully locked down.

After the fix: skill files must be loaded with the read tool and only the real skill executable is auto-allowed. The SKILL.md content is no longer evaluated as shell code in the approval path.

Why This Matters

If you've configured exec approvals for your OpenClaw setup — which you should have for any exec tool usage — the old behavior meant that a malicious or compromised skill file could potentially inject arbitrary content into the approval flow. The fix removes that path entirely.

The practical implication for most users: you won't notice anything different in your day-to-day. But if you have any custom skills or third-party skills that rely on the old behavior, they may need to be updated.

How to Verify Your Approvals Are Working Correctly

Run the approval status check:

openclaw approvals --list
Enter fullscreen mode Exit fullscreen mode

This shows all pending and recent approval decisions. If you see any that look unexpected — approvals granted to skills you don't recognize, or approvals at unusual times — investigate.

Also: after upgrading to 2026.5.21, manually test your exec approval flow:

  1. Trigger a task that requires exec approval
  2. Verify the approval prompt appears correctly
  3. Use /approve to confirm the exec runs
  4. Check openclaw logs --filter approvals to confirm the decision was logged correctly

The Broader Pattern Here

This fix is part of a consistent pattern in OpenClaw's recent releases: closing legacy compatibility paths that were security risks. The Policy plugin enforces default-deny on tools. The file-transfer plugin enforces default-deny on file operations. And now exec approvals enforce strict skill file loading.

If you've been upgrading regularly, your setup is more secure than it was 30 days ago. If you're on an older version, the exec approval behavior is something you should audit.

Fix: OpenClaw 2026.5.21. Skill files must be loaded with read tool, only real skill executable auto-allowed.

Top comments (0)