Summary
On Windows, the Lobster extension previously retried certain spawn failures (ENOENT/EINVAL) with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version at triage:
2026.2.17 - Affected range:
>= 2026.1.21 <= 2026.2.17 - Patched version:
2026.2.19(pre-set for next release)
Fix
The Windows shell fallback was removed. Wrapper compatibility is preserved by resolving .cmd/.bat shims to a concrete Node entrypoint (or executable) and executing with explicit argv (no shell). If a safe entrypoint cannot be resolved, execution now fails closed with a guided error.
Fix Commit(s)
ba7be018da354ea9f803ed356d20464df0437916
Severity Context
This issue requires Windows plus fallback-triggering conditions, and argument control through a local operator-defined workflow.
OpenClaw thanks @tdjackey for reporting.
References: