CVE-2026-27485
OpenClaw: Reject symlinks in local skill packaging script
Description
## Vulnerability `skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. ## Severity and Exposure - **Severity: Low** - **Execution context:** local/manual workflow only (skill author packaging step) - **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths - **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following ## Impact - Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact. - Requires local execution of the packaging script on attacker-controlled skill contents. ## Affected Components - `skills/skill-creator/scripts/package_skill.py` ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version during triage: `2026.2.17` - Vulnerable version range: `<= 2026.2.17` - Planned patched version (next release): `2026.2.18` ## Remediation - Reject symlinks during skill packaging. - Add regression tests for symlink file and symlink directory cases. - Update packaging guidance to document the symlink restriction. ## Fix Commit(s) - `c275932aa4230fb7a8212fe1b9d2a18424874b3f` - `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0` ## Related PR - https://github.com/openclaw/openclaw/pull/20796 ## Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `[email protected]` is published, this advisory is ready to publish without additional edits. Thanks @aether-ai-agent for reporting.
How to fix CVE-2026-27485
To remediate CVE-2026-27485, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.19 or later
Is CVE-2026-27485 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.