GHSA-2fgq-7j6h-9rm4

### Summary `system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed.

### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time) - Patched (planned next release): `2026.2.22`

### Impact In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body.

### Root Cause Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution.

### Fix - Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS). - For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`). - Add regression tests for TS and macOS paths.

### Fix Commit(s) - `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a`

### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only.

### Severity Rationale This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`.

Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.

The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.

OpenClaw thanks @tdjackey for reporting.