security: Fix command injection in openclaw.sh files

Fixed command injection vulnerability in sprite/openclaw.sh where OPENCLAW_CONFIG was echoed directly into remote shell command with user-controlled MODEL_ID variable. Changed to use temp file + secure upload instead of inline echo. Also added chmod 600 to all OPENCLAW_CONFIG_TEMP files across all cloud providers (linode, vultr, digitalocean, hetzner, sprite) to prevent race condition where credentials could be exposed in temp files before being written. Changes: - sprite/openclaw.sh: Replaced echo with temp file + sprite exec -file - All openclaw.sh: Added chmod 600 after mktemp for credentials Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-05-31 21:40:28 +00:00 · 2026-02-07 19:48:09 +00:00 · 2026-02-07 19:48:09 +00:00 · 355c330507
commit 355c330507
parent 180b1637c7
5 changed files with 17 additions and 6 deletions
--- a/digitalocean/openclaw.sh
+++ b/digitalocean/openclaw.sh
@ -70,6 +70,7 @@ run_server "$DO_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)

 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
  "env": {
--- a/hetzner/openclaw.sh
+++ b/hetzner/openclaw.sh
@ -71,6 +71,7 @@ run_server "$HETZNER_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)

 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
  "env": {
--- a/linode/openclaw.sh
+++ b/linode/openclaw.sh
@ -37,6 +37,7 @@ log_warn "Configuring openclaw..."
 run_server "$LINODE_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)
 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
  "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },
--- a/sprite/openclaw.sh
+++ b/sprite/openclaw.sh
@ -65,26 +65,33 @@ run_sprite "$SPRITE_NAME" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 # Generate a random gateway token
 GATEWAY_TOKEN=$(openssl rand -hex 16)

-OPENCLAW_CONFIG='{
+# Create config file locally first, then upload
+OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
+cat > "$OPENCLAW_CONFIG_TEMP" << EOF
+{
  "env": {
-    "OPENROUTER_API_KEY": "'"$OPENROUTER_API_KEY"'"
+    "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}"
  },
  "gateway": {
    "mode": "local",
    "auth": {
-      "token": "'"$GATEWAY_TOKEN"'"
+      "token": "${GATEWAY_TOKEN}"
    }
  },
  "agents": {
    "defaults": {
      "model": {
-        "primary": "openrouter/'"$MODEL_ID"'"
+        "primary": "openrouter/${MODEL_ID}"
      }
    }
  }
-}'
+}
+EOF

-run_sprite "$SPRITE_NAME" "echo '$OPENCLAW_CONFIG' > ~/.openclaw/openclaw.json"
+# Upload config file securely
+sprite exec -s "$SPRITE_NAME" -file "$OPENCLAW_CONFIG_TEMP:/tmp/openclaw_config.json" -- bash -c "mv /tmp/openclaw_config.json ~/.openclaw/openclaw.json"
+rm "$OPENCLAW_CONFIG_TEMP"

 echo ""
 log_info "✅ Sprite setup completed successfully!"
--- a/vultr/openclaw.sh
+++ b/vultr/openclaw.sh
@ -53,6 +53,7 @@ run_server "$VULTR_SERVER_IP" "rm -rf ~/.openclaw && mkdir -p ~/.openclaw"
 GATEWAY_TOKEN=$(openssl rand -hex 16)

 OPENCLAW_CONFIG_TEMP=$(mktemp)
+chmod 600 "$OPENCLAW_CONFIG_TEMP"
 cat > "$OPENCLAW_CONFIG_TEMP" << EOF
 {
  "env": { "OPENROUTER_API_KEY": "${OPENROUTER_API_KEY}" },