GHSA-G2F6-PWVX-R275 OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection
Summary openclaw versions :. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefo...