Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27008 is a vulnerability in the OpenClaw personal AI assistant affecting versions prior to 2026.2.15. The issue arises from a bug in the skill installation process, specifically in the `download` skill installer. The vulnerability allows the `targetDir` parameter, which specifies where skill files are installed, to resolve outside the intended per-skill tools directory if not properly validated.'}, {'type': 'paragraph', 'content': "Because the `skills.install` flow is admin-only, this bug could be exploited to write files outside the designated installation sandbox, potentially leading to unauthorized file system modifications. The fix in version 2026.2.15 restricts the `targetDir` values to be relative paths within the skill's own tools directory and adds security checks to validate and sanitize these paths, preventing directory traversal or arbitrary file writes."}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with admin privileges to write files outside the intended skill installation directory. This could lead to unauthorized modification of files on the system where OpenClaw is installed.

Such unauthorized file writes could be used to overwrite critical files, introduce malicious code, or compromise the integrity and security of the system. Although the installation flow is admin-only, exploitation could still result in significant security risks including potential system compromise or data corruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if skill installations in OpenClaw are attempting to write files outside their designated per-skill tools directories by exploiting the `targetDir` parameter.

One approach is to monitor or audit the skill installation process, especially the `skills.install` admin-only flow, for any unusual file writes or directory traversals outside expected paths.

Since the vulnerability relates to archive extraction (e.g., tar.bz2) during skill installation, you can inspect the contents of skill archives before installation to detect directory traversal or symlink attacks.

• Use `tar tf <archive>` to list archive contents and check for suspicious paths like `../` or absolute paths.
• Use `tar tvf <archive>` to detect symbolic links inside the archive.

Additionally, monitoring logs or running tests that simulate skill installation with malformed archives can help detect attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.2.15 or later, which contains the fix restricting skill download target directories to the per-skill tools directory.

This fix enforces validation and sanitization of the `targetDir` parameter during skill installation, preventing writes outside the intended sandbox.

If upgrading immediately is not possible, restrict administrative access to the `skills.install` flow to trusted users only, as the vulnerability is exploitable only in the admin-only installation process.

Also, consider auditing and validating skill packages before installation to ensure they do not contain malicious archive contents such as directory traversal paths or symlinks.

Useful 0 Not Useful 0