GHSA-4564-PVR2-QQ4H OpenClaw: Prevent shell injection in macOS keychain credential write
Summary On macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. The fix avoids invoking a...