GHSA-77hf-7fqf-f227: OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)

March 3, 2026

The tar.bz2 installer path in src/agents/skills-install-download.ts used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor.

This allowed crafted .tar.bz2 archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.

References

github.com/advisories/GHSA-77hf-7fqf-f227
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e
github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227

Code Behaviors & Features

Detect and mitigate GHSA-77hf-7fqf-f227 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →