OpenClaw Bash Safety — Why Your Agent Is a Security Risk
What Autonomous Bash Execution Actually Means
When you give an OpenClaw agent access to the exec tool, you are giving an AI
model the ability to run arbitrary shell commands on your machine — your files,
your network, your credentials, your hardware.
Most operators understand this abstractly. Fewer understand what it means when
the agent is running autonomously, 24/7, executing commands generated from
tool outputs, web content, files it reads, and messages it receives.
Every one of those inputs is a potential injection vector.
Default OpenClaw has no validation layer between the model's decision to run a
command and the shell that executes it. The model is the only check. And models
can be manipulated.
The Categories of Attack That Exist
When an agent executes bash autonomously, the attack surface spans several
distinct categories. Understanding the categories is more important than
knowing specific exploits — exploits evolve, categories don't.
Command Obfuscation
Shell commands can be written in ways that hide their intent from a model
evaluating them as text. Variable substitution, brace expansion, heredocs,
and character encoding tricks can make a destructive command unrecognizable
as dangerous without AST-level parsing.
A model reading ${dangerous_var} as a string sees a variable reference.
The shell sees whatever is in that variable.
Substitution Injection
Backtick substitution, $() process substitution, and <() process
redirection allow commands to be constructed from the output of other commands.
An agent building a shell command from external data — a filename, a URL
response, a file it read — can have malicious commands injected into the
construction.
This is the bash equivalent of SQL injection, and it's trivially achievable
against agents that don't strip or validate command construction inputs.
Encoding and Unicode Attacks
Unicode homoglyphs, zero-width characters, right-to-left overrides, and
multi-byte sequences can make a command look like one thing to a model's
text processing while the shell interprets it differently.
A filename containing a right-to-left override can display as readme.txt
while actually ending in .exe. A command containing Unicode homoglyphs for
/etc/passwd looks like a benign path until it executes.
Shell-Specific Escape Vectors
Bash and Zsh have different dangerous builtins, different history mechanisms,
and different expansion behaviors. A validation layer written for Bash doesn't
necessarily catch Zsh-specific attacks. Production security covers both shells,
separately, because the dangerous commands are not the same list.
Persistence and Escalation Vectors
These are the attacks that matter most for autonomous agents: commands that
modify cron, init, or systemd entries; commands that install backdoors into
shell profiles; commands that create persistent network listeners; commands
that modify sudo configuration. An agent that runs one of these once, even
accidentally, has a problem that survives reboots.
Why ClawHavoc Happened
In early 2026, 341 skills on ClawHub were found to contain malicious bash
payloads — roughly 20% of the active skill library at the time.
The mechanism was straightforward: skills execute code in the agent's context.
Skills that included setup scripts, configuration helpers, or initialization
routines had those routines execute with full agent permissions when the skill
was installed. No validation layer checked those scripts before execution.
ClawHavoc wasn't a sophisticated supply chain attack. It was an absence of
validation. Any operator who installed affected skills and had exec access
enabled was exposed.
The affected skills looked legitimate. They had reasonable descriptions,
normal-looking metadata, and plausible functionality. The malicious payload
was in the setup script — the part most operators never read.
Why Regex Validation Isn't Enough
The obvious fix is regex pattern matching: block commands that contain rm -rf,
curl | bash, known exfiltration patterns. Most simple bash validators work
this way.
The problem is that regex operates on text. Shell execution operates on
parsed syntax trees. You can write a command that passes every reasonable
regex check and still executes destructively once the shell expands variables,
resolves aliases, and processes substitutions.
Production bash security requires validation at multiple levels:
- - Text level (catches obvious patterns)
- Structural level (catches substitution and expansion tricks)
- Semantic level (catches context-dependent risks like relative paths in
privileged operations)
- - Shell-specific level (catches builtins and behaviors that differ between
Bash and Zsh)
Each level catches a different class of attack. Skipping any one of them
leaves a category of attack unblocked.
The Bottom Line
If your OpenClaw agent has exec access — and most useful configurations do —
and it operates on any external input (messages, files, web content, tool
outputs), you have an unvalidated shell execution surface.
This was acceptable when agents were supervised demos. It is not acceptable
when they run autonomously.
ClawHavoc demonstrated that the threat is real and active. The question is
whether you address it before or after something goes wrong on your machine.
*The full 23-validator production security chain — validated through production
Claude Code deployments — is available as the
Bash Security Validator skill on Claw Mart:*
https://www.shopclawmart.com/listings/bash-security-validator-production-openclaw-shell-safety-ded33491
技能名称: OpenClaw Bash安全 — 为什么你的智能体是安全风险
详细描述:
OpenClaw Bash安全 — 为什么你的智能体是安全风险
自主Bash执行的实际含义
当你授予OpenClaw智能体访问exec工具的权限时,你实际上是在允许一个AI模型在你的机器上运行任意shell命令——你的文件、你的网络、你的凭证、你的硬件。
大多数操作者抽象地理解这一点。但很少有人真正理解当智能体全天候自主运行,执行由工具输出、网页内容、读取的文件以及接收的消息生成的命令时意味着什么。
这些输入中的每一个都是潜在的注入向量。
默认的OpenClaw在模型决定运行命令与执行该命令的shell之间没有验证层。模型是唯一的检查机制。而模型是可以被操纵的。
存在的攻击类别
当智能体自主执行bash时,攻击面涵盖几个不同的类别。理解这些类别比了解具体的漏洞利用方式更重要——漏洞利用方式会演变,但类别不会。
命令混淆
Shell命令可以通过多种方式编写,以隐藏其对评估文本的模型的意图。变量替换、花括号扩展、heredoc和字符编码技巧可以使破坏性命令在没有AST级解析的情况下无法被识别为危险命令。
模型将${dangerous_var}视为字符串,看到的是一个变量引用。而shell看到的则是该变量中的任何内容。
替换注入
反引号替换、$()进程替换和<()进程重定向允许从其他命令的输出构建命令。一个从外部数据(文件名、URL响应、读取的文件)构建shell命令的智能体,可能会在构建过程中被注入恶意命令。
这相当于bash中的SQL注入,并且对于不剥离或验证命令构建输入的智能体来说,实现起来轻而易举。
编码和Unicode攻击
Unicode同形字、零宽字符、从右到左覆盖符和多字节序列可以使命令在模型的文本处理中看起来是一回事,而shell解释时却是另一回事。
包含从右到左覆盖符的文件名可以显示为readme.txt,而实际结尾却是.exe。包含/etc/passwd的Unicode同形字的命令在执行之前看起来像一个良性路径。
Shell特定的逃逸向量
Bash和Zsh有不同的危险内建命令、不同的历史机制和不同的扩展行为。为Bash编写的验证层不一定能捕获Zsh特定的攻击。生产环境安全需要分别覆盖两种shell,因为危险命令列表并不相同。
持久化和提权向量
这些是对自主智能体最重要的攻击:修改cron、init或systemd条目的命令;在shell配置文件中安装后门的命令;创建持久网络监听器的命令;修改sudo配置的命令。一个智能体即使意外运行了其中一条命令,也会面临一个重启后仍然存在的问题。
ClawHavoc事件发生的原因
2026年初,ClawHub上的341个技能被发现包含恶意bash负载——约占当时活跃技能库的20%。
其机制很简单:技能在智能体的上下文中执行代码。包含设置脚本、配置助手或初始化例程的技能,在安装时这些例程会以完整的智能体权限执行。在执行之前,没有验证层检查这些脚本。
ClawHavoc并非一次复杂的供应链攻击。而是验证的缺失。任何安装了受影响技能并启用了exec访问权限的操作者都暴露在风险中。
受影响的技能看起来是合法的。它们有合理的描述、正常的元数据和看似可行的功能。恶意负载位于设置脚本中——这是大多数操作者从不阅读的部分。
为什么正则表达式验证不够
显而易见的修复方法是正则表达式模式匹配:阻止包含rm -rf、curl | bash、已知外泄模式的命令。大多数简单的bash验证器都是这样工作的。
问题在于正则表达式操作的是文本。Shell执行操作的是解析后的语法树。你可以编写一条通过所有合理正则检查的命令,但一旦shell展开变量、解析别名和处理替换,它仍然会执行破坏性操作。
生产环境bash安全需要在多个层面进行验证:
- - 文本层面(捕获明显的模式)
- 结构层面(捕获替换和扩展技巧)
- 语义层面(捕获上下文相关的风险,如特权操作中的相对路径)
- Shell特定层面(捕获Bash和Zsh之间不同的内建命令和行为)
每个层面捕获不同类别的攻击。跳过其中任何一个都会留下一个未受阻挡的攻击类别。
结论
如果你的OpenClaw智能体拥有exec访问权限——而大多数有用的配置都有——并且它处理任何外部输入(消息、文件、网页内容、工具输出),那么你就拥有一个未经验证的shell执行面。
当智能体是受监督的演示时,这是可以接受的。但当它们自主运行时,这是不可接受的。
ClawHavoc事件表明威胁是真实且活跃的。问题在于你是在问题发生之前还是之后在你的机器上解决它。
完整的23验证器生产安全链——经过生产环境Claude Code部署验证——可作为Bash安全验证器技能在Claw Mart上获取:
https://www.shopclawmart.com/listings/bash-security-validator-production-openclaw-shell-safety-ded33491
