Claude CodeSignal from PR description only — not from commit metadata
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.
How AI Introduced This
AI-authored code contributed via commit 7a9ff182608b0c083ed57e3f199495ac93f4a079, which added remote attachment staging that writes directly to the chosen destination path with `scpFile(..., dest)` and preserved the same unsafe destination-write design for local copies, all without symlink-safe destination validation. The original sandbox overwrite flaw was introduced earlier by human-authored commit ea018a68ccb92dbc735bc1df9880d5c95c63ca35, but the AI commit extended and reaffirmed the vulnerable staging logic, so AI was part of the causal chain.
▶Attribution Chain
▶Bug-Introducing Commits(1)
iMessage: Add remote attachment support for VM/SSH deployments
Deep Verification
by GPT-5.4This AI-authored commit added the remote-media branch in `stageSandboxMedia`, including `await scpFile(ctx.MediaRemoteHost, source, dest);`, where `dest` is the sandbox staging path and no destination symlink checks are performed. Its diff also rewrote the local staging block into the new conditional while retaining the same direct write-to-`dest` behavior, so it preserved the unsafe design and introduced a second vulnerable write path that the fix later replaced with temp-file staging plus `writeFileWithinRoot`. The screening note was directionally correct: this commit does directly touch the vulnerable function and meaningfully contributes to the flaw, even though it is not the earliest origin.
▶AI Signals(1)
| Claude Code | PR body keyword | Generated with [Claude Code] | 90% |