Skip to content

README.md

Latest commit

 

History

History
139 lines (95 loc) · 4.62 KB

README.md

File metadata and controls

139 lines (95 loc) · 4.62 KB

OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. Tools with "read" in their name are classified as read operations, and if auto-approval for reads is enabled, they execute without prompting the user. The blacklist DANGEROUS_ACP_TOOLS blocks fs_write but fails to block fs_read, allowing a malicious agent to define a tool named fs_read and exfiltrate any file the user has access to.

Key Finding: Auto-approval for read-class operations can be bypassed by spoofing tool names or metadata, enabling unauthorized file reads.

Affected Component

  • Files:

    • src/acp/client.ts
    • src/security/dangerous-tools.ts

  • Functions / Definitions:

    • resolveToolKindForPermission
    • DANGEROUS_ACP_TOOLS definition

  • Package / Version: openclaw (npm), <= 2026.2.22-2

  • Patched Versions: >= 2026.2.23

  • Vendor: OpenClaw Community

  • Technology: Node.js, ACP

Attack Chain

Step Action Requirement Vector
1 Attacker controls ACP server or agent Ability to define ACP tools Network / ACP protocol
2 Define a tool named fs_read None Tool metadata
3 Target OpenClaw user with read permission enabled User must enable "read" auto-approval ACP client
4 Invoke fs_read with path to sensitive file Knowledge of file path Network/ACP tool call
5 OpenClaw client auto-approves the request Flawed tool classification logic File content exfiltration

Root Cause Analysis

Primary Vulnerability: Untrusted Tool Classification

// src/acp/client.ts, lines 92-93
// VULNERABLE: Auto-classifies as "read" based on name
if (normalized === "read" || hasToken("read")) {
  return "read";
}
// src/security/dangerous-tools.ts, lines 31-33
// VULNERABLE: Missing "fs_read" in blacklist
"fs_write",
"fs_delete",
"fs_move",

Issues:

  • Auto-approval relies on heuristic matching of tool names containing "read"
  • Non-core read-like tool names (e.g., fs_read) are not blocked
  • Untrusted metadata in toolCall.kind could bypass authorization checks

Exploitation Example (PoC)

  1. Attacker defines an ACP tool named fs_read.
  2. OpenClaw user connects with read permission auto-approval enabled.
  3. Attacker invokes:
fs_read ~/.ssh/id_rsa

Result:

  • OpenClaw client auto-approves the request
  • Contents of the targeted file (~/.ssh/id_rsa) are sent to the attacker
  • Enables sensitive file exfiltration without user interaction

Impact

  • Confidentiality (Low): Sensitive files (SSH keys, configuration files) can be exfiltrated
  • Integrity (Low): No direct modification, but exfiltrated files could be used for further compromise
  • Availability (None): System continues running normally

Attack Scenarios:

  1. Exfiltrate private keys or credentials via spoofed fs_read tool
  2. Supply chain compromise if ACP server is malicious
  3. Unauthorized read access to sensitive configuration or secrets

Limitations:

  • Requires user to enable auto-approval for read operations
  • Only affects users running OpenClaw with ACP client connected to potentially malicious or compromised agents

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4 (Medium)

Required Attacker Capability

  • Control of an ACP server or agent
  • Target user must have enabled read-permission auto-approval
  • No elevated system privileges required

Remediation

Fixed in 2026.2.23 by:

  • Requiring trusted core tool IDs for auto-approval
  • Ignoring untrusted toolCall.kind metadata for authorization
  • Scoping read auto-approval to cwd-resolved paths
  • Adding stricter tool-name validation and regression tests for spoofed kind or non-core read-like names

Fix Commits:

References

  • CWE-863: Incorrect Authorization
  • CWE-20: Improper Input Validation
  • Node.js ACP client implementation notes
  • OpenClaw ACP documentation