OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or gr…

OpenClaw exec-approvals component has a vulnerability where allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion. This allows attackers to exploit safe binaries like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. The vulnerability can be exploited by authorized callers or through prompt-injection attacks when host execution is enabled in allowlist mode. This leads to disclosure of files readable by the gateway or node process, presenting a significant security risk for systems running OpenClaw with host execution enabled.