GHSA-xvhf-x56f-2hpp: OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion

OpenClaw’s exec-approvals allowlist supports a small set of “safe bins” intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist.

In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/... without triggering approvals.

This issue is configuration-dependent and is not exercised by default settings (default tools.exec.host is sandbox).