js · openclawCritical
OpenClaw: Workspace .env npm_execpath override in install helper
Workspace .env npm_execpath could override the package-manager executable path used by the install helper, potentially running an unintended local package-manag
What changed
Workspace .env npm_execpath could override the package-manager executable path used by the install helper, potentially running an unintended local package-manager executable during dependency setup.
Who it affects
Users of OpenClaw with the affected feature enabled, where a workspace .env in a repository opened by a trusted operator could influence bundled runtime dependency install.
What to do today
Update to patched version 2026.4.29 or later; until then, install bundled runtime dependencies from trusted workspaces only, and disable the affected feature if not needed.
The trail
Collected→
Audited→
Written→
Published