![[openclaw] OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace](/assets/images/github_com_1772501090698.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace**
Overview In affected versions, OpenClawโs sandbox skill mirroring used the skillโs frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments (for example ../) or an absolute path could cause the copy to write outside <sandbox_workspace>/skills/. Impact Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw). Attack Requirements Attacker can provide a skill package (controls SKILL.md frontmatter). Victim runs with sandbox enabled and skill mirroring into the sandbox workspace...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Overview In affected versions, OpenClawโs sandbox skill mirroring used the skillโs frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments (for example ../) or an absolute path could cause the copy to write outside <sandbox_workspace>/skills/. Impact Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw). Attack Requirements Attacker can provide a skill package (controls SKILL.md frontmatter). Victim runs with sandbox enabled and skill mirroring into the sandbox workspace...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.