OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands

Summary When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions...

Authentication Bypass

@account-kit/smart-contracts is vulnerable to Authentication Bypass. The vulnerability is due to faulty access control due to a bug in the allowlist logic that permitted session keys to bypass allowlist restrictions...