![[openclaw] OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories](/assets/images/github_com_1773619481875.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[openclaw] OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
By GitHub2026๋
3์ 14์ผ
**[openclaw] OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories**
Summary OpenClaw automatically discovered and loaded plugins from .openclaw/extensions/ inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory. Impact Opening or running OpenClaw in an untrusted repository could lead to arbitrary code execution under the user's account. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Workspace plugin loading now requires explicit trusted state before execution...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary OpenClaw automatically discovered and loaded plugins from .openclaw/extensions/ inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory. Impact Opening or running OpenClaw in an untrusted repository could lead to arbitrary code execution under the user's account. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Workspace plugin loading now requires explicit trusted state before execution...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.