OpenClaw macOS deep link confirmation truncation can conceal executed agent message

Description

Summary

OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run".

At the time of writing, the OpenClaw macOS desktop client is still in beta.

An attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed.

Impact

If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message.

Affected Versions

  • OpenClaw macOS desktop client versions >= 2026.2.6 and <= 2026.2.13.

Fixed Versions

  • 2026.2.14.

Mitigations

  • Do not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites.
  • Use unattended deep links only with a valid key for trusted personal automations.

Resolution

Unkeyed deep links now enforce a strict message length limit for confirmation and ignore delivery/routing knobs (deliver, to, channel) unless a valid unattended key is provided.

Fix commit: 28d9dd7a772501ccc3f71457b4adfee79084fe6f


Fix commit 28d9dd7a772501ccc3f71457b4adfee79084fe6f confirmed on main and in v2026.2.14. Upgrade to openclaw &gt;= 2026.2.14.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-17 21:41:40 UTC
Updated
2026-02-20 16:44:26 UTC
GitHub reviewed
2026-02-17 21:41:40 UTC
NVD published
2026-02-19

EPSS Score

Score Percentile
0.03% 7.91%

CVSS Scores

Base score Version Severity Vector
7.1 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-451 User Interface (UI) Misrepresentation of Critical Information

Credits

  • Cillian-Collins (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw >= 2026.2.6-0, < 2026.2.14 2026.2.14

References

cvelogic Threat Intelligence