Listen to this Post
The vulnerability resides in the OpenClaw gateway method `skills.status` . Prior to version 2026.2.14, this method returned a comprehensive requirements report for skills, which included a `configChecks[].value` field. This field contained the raw, resolved configuration values for any `requires.config` paths specified by a skill . If a skill requested a broad configuration subtree, such as channels.discord, the entire block of data, including sensitive secrets like Discord bot tokens, would be exposed in the report . Critically, the `skills.status` endpoint is callable by clients with only the `operator.read` scope. This means an authenticated client with read-only privileges, which should not have access to configuration secrets, could retrieve them without needing `operator.admin` or `config.` permissions . The fix involved modifying the requirements check to return only the configuration `path` and a boolean `satisfied` status, completely omitting the resolved value. Additionally, the Discord skill’s requirement was narrowed to request only the specific token key rather than the entire configuration block .
Platform: OpenClaw (npm)
Version: <= 2026.2.13
Vulnerability: Configuration secrets disclosure
Severity: Medium
date: 2026-02-17
Prediction: Patched 2026.2.14
What Undercode Say:
Analytics
The vulnerability affects all OpenClaw npm package versions up to and including 2026.2.13 . The issue was patched in version 2026.2.14 with two commits (d3428053 and ebc68861) that removed the resolved values from the requirement checks . Approximately 2.28 million downloads of the npm package occurred in the month prior to the fix, indicating a significant user base potentially exposed . The vulnerability requires no special privileges beyond a read-scoped client, making it easily exploitable by any authenticated user with minimal access rights.
Bash Commands and Code
Check current OpenClaw version:
npm list openclaw or clawhub --version
Check for vulnerable `skills.status` response (conceptual):
Authenticate as a read-scoped client and request skill status
clawhub auth login --scope operator.read
curl -X POST http://localhost:3030/api/skills.status \
-H "Authorization: Bearer $READ_TOKEN" \
-d '{"skill": "discord-bot"}'
Simulate patched behavior (config value no longer exposed):
After upgrading to >=2026.2.14, the response should lack .value
curl -s -X POST http://localhost:3030/api/skills.status \
-H "Authorization: Bearer $READ_TOKEN" \
-d '{"skill": "discord-bot"}' | jq '.configChecks[] | {path, satisfied}'
Upgrade to patched version:
npm install [email protected] or globally npm install -g [email protected]
Exploit
An attacker with read-only access to an OpenClaw instance can enumerate installed skills and retrieve their configuration secrets. The attacker first lists available skills, then calls `skills.status` for any skill that requires configuration. The response includes `configChecks[].value` containing raw secrets like API tokens, database passwords, or service credentials. The attack requires no special permissions beyond the lowest `operator.read` scope, making it a privilege escalation vector from read-only to credential access.
Protection
Immediately upgrade to OpenClaw version 2026.2.14 or later . Rotate any Discord tokens or other secrets that may have been exposed through the vulnerable endpoint, especially if read-scoped clients had access to the system during the vulnerable period . Audit access logs for any unauthorized `skills.status` calls by read-only clients. Implement network segmentation to limit which clients can reach the OpenClaw API.
Impact
Successful exploitation allows read-only users to obtain sensitive configuration data, including API keys, authentication tokens, and service credentials. This can lead to account takeover, unauthorized access to integrated services (like Discord), and potential lateral movement within connected systems. The vulnerability bypasses the intended access control separation between `operator.read` and operator.admin/config. scopes . Organizations using OpenClaw with read-only service accounts or shared read credentials are at highest risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

