GHSA-9q2p-vc84-2rwm: OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw’s system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries.

A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.

Latest published npm version: 2026.3.2

Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work.