GHSA-796M-2973-WC5Q OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
Summary tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/--split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload. Affected Packages /...