CVE-2026-27485 Overview
CVE-2026-27485 is a symlink attack vulnerability in OpenClaw, a personal AI assistant platform. The vulnerability exists in the skills/skill-creator/scripts/package_skill.py script, a local helper utility used by skill authors when packaging skills for distribution. In versions 2026.2.17 and below, this script followed symlinks while building .skill archives, potentially allowing the inclusion of arbitrary local files from the packaging machine into the generated archive.
Critical Impact
Attackers could craft malicious skill directories containing symlinks pointing to sensitive files outside the skill root, leading to unintentional disclosure of local files when authors package those skills.
Affected Products
- OpenClaw versions 2026.2.17 and below
- OpenClaw skills/skill-creator/scripts/package_skill.py packaging script
- OpenClaw Node.js implementations
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27485 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27485
Vulnerability Analysis
This vulnerability is classified as CWE-61 (UNIX Symbolic Link Following), which occurs when software follows symbolic links during file operations without proper validation. The package_skill.py script uses Python's zipfile module to create .skill archives by recursively walking through a skill directory using skill_path.rglob("*"). Prior to the patch, the script did not verify whether files in the traversal were symbolic links, blindly including their resolved targets in the archive.
The exploitation scenario requires a local attacker to provide a crafted skill directory to an author, who then executes the packaging script on that malicious directory. When the script encounters symlinks, it follows them and includes the content of files from outside the intended skill directory boundary.
Root Cause
The root cause is the absence of symlink validation in the file enumeration and archival logic within package_skill.py. When using pathlib.Path.rglob() combined with zipfile.ZipFile.write(), the script would transparently resolve and include symlinked file contents without checking is_symlink() first. This classic symlink-following weakness allows path traversal beyond the skill directory root.
Attack Vector
The attack requires local access and social engineering to succeed. An attacker must:
- Create a malicious skill directory containing symbolic links pointing to sensitive files (e.g., ~/.ssh/id_rsa, /etc/passwd, or application configuration files)
- Convince a skill author to download or clone this crafted skill directory
- Wait for the author to execute package_skill.py on the malicious directory
- The resulting .skill archive will contain the attacker-specified sensitive files
- If the author distributes this archive, the sensitive files become exposed
with zipfile.ZipFile(skill_filename, "w", zipfile.ZIP_DEFLATED) as zipf:
# Walk through the skill directory
for file_path in skill_path.rglob("*"):
+ # Security Check 1: Reject symlinks to prevent supply chain attacks
+ if file_path.is_symlink():
+ print(f"[ERROR] Symlinks are not allowed in skills: {file_path}")
+ print(" This is a security restriction to prevent including arbitrary files.")
+ return None
+
if file_path.is_file():
# Calculate the relative path within the zip
arcname = file_path.relative_to(skill_path.parent)
+
+ # Security Check 2: Validate arcname to prevent Zip Slip attacks
+ # Ensure the path doesn't escape the skill directory using ".." or absolute paths
+ if ".." in arcname.parts or arcname.is_absolute():
+ print(f"[ERROR] Invalid path in skill (possible Zip Slip attack): {arcname}")
+ print(" Paths with '..' or absolute paths are not allowed.")
+ return None
+
zipf.write(file_path, arcname)
print(f" Added: {arcname}")
Source: GitHub Commit Changes
Detection Methods for CVE-2026-27485
Indicators of Compromise
- Presence of symbolic links within skill directories being packaged
- Skill archives (.skill files) containing unexpected file paths or sensitive file content
- Log entries showing package_skill.py execution on directories with symlinks
Detection Strategies
- Implement file integrity monitoring on skill packaging directories to detect symlink creation
- Audit generated .skill archives by inspecting their contents for unexpected files before distribution
- Monitor execution of package_skill.py and log the directories being processed
- Use static analysis tools to scan skill directories for symbolic links before packaging
Monitoring Recommendations
- Enable verbose logging for skill packaging operations to capture file enumeration details
- Set up alerts for skill archive generation that includes files outside expected skill directory paths
- Monitor for unusual file access patterns during packaging script execution
- Implement pre-commit hooks or CI/CD checks to reject skill directories containing symlinks
How to Mitigate CVE-2026-27485
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.18 or later immediately
- Audit any previously generated .skill archives for unintended file inclusions
- Remove or quarantine any skill directories from untrusted sources
- Review skill packaging workflows to ensure only trusted skill directories are processed
Patch Information
OpenClaw has addressed this vulnerability in version 2026.2.18, which adds explicit symlink detection and rejection in the packaging script. The fix implements two security checks: (1) rejecting symlinks to prevent supply chain attacks, and (2) validating archive names to prevent Zip Slip attacks using path traversal sequences.
For detailed patch information, see the GitHub Security Advisory GHSA-r6h2-5gqq-v5v6 and the GitHub Pull Request Discussion.
Workarounds
- Manually inspect skill directories for symlinks before running package_skill.py using find /path/to/skill -type l
- Wrap the packaging script with a pre-check that rejects directories containing symbolic links
- Use containerized or sandboxed environments for skill packaging to limit potential file exposure
- Implement access controls to restrict which files the packaging script can read
# Configuration example
# Pre-check for symlinks before packaging
find /path/to/skill-directory -type l -print
# If any symlinks are found, do not proceed with packaging
# Alternatively, use a sandboxed environment:
docker run --rm -v /path/to/skill:/skill:ro openclaw/skill-packager package /skill
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
