Claude CodeOpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.
How AI Introduced This
Yes. The AI-coauthored commit 2267d58afcc70fe19408b8f0dce108c340f3426d created extensions/feishu/src/media.ts and introduced the unsafe `path.join(os.tmpdir(), ... imageKey/fileKey)` temp-file construction that the fixes later removed. A later human refactor rewrote the same bug, but AI-authored code was the original vulnerable implementation and part of the causal chain.
▶Attribution Chain
▶Bug-Introducing Commits(1)
feat(feishu): replace built-in SDK with community plugin
Deep Verification
by GPT-5.4This AI-coauthored commit added the new Feishu plugin and created extensions/feishu/src/media.ts with the vulnerable branches `const tmpPath = path.join(os.tmpdir(), `feishu_img_${Date.now()}_${imageKey}`)` and `const tmpPath = path.join(os.tmpdir(), `feishu_${Date.now()}_${fileKey}`)` before calling `responseAny.writeFile(tmpPath)`. In the same plugin version, bot.ts parses inbound message JSON and passes attacker-controlled `image_key`/`file_key` values into `downloadMessageResourceFeishu`, so untrusted keys reached filesystem path construction immediately. The pre-replacement built-in code at 4fc4c5256ad527e14beade2b872984fe0dd3f057 streamed media via `getReadableStream()` and did not interpolate keys into temp paths, so this was a real introduction, not just a file move.
▶AI Signals(1)
| Claude Code | Co-author trailer | Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> | 95% |