From 5ded815e6ad17d1f12df8e539309aa8528546e66 Mon Sep 17 00:00:00 2001
From: davida-ps <232346510+davida-ps@users.noreply.github.com>
Date: Sat, 7 Feb 2026 06:10:59 +0000
Subject: [PATCH] chore: CVE advisories - 1 new, 0 updated

Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot
Poll window: 2026-02-05T12:53:37Z to 2026-02-07T06:10:40.000Z
---
 advisories/feed.json                     | 17 ++++++++++++++++-
 skills/clawsec-feed/advisories/feed.json | 17 ++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/advisories/feed.json b/advisories/feed.json
index b24b16f..2beb15e 100644
--- a/advisories/feed.json
+++ b/advisories/feed.json
@@ -1,8 +1,23 @@
 {
   "version": "0.0.2",
-  "updated": "2026-02-05T12:53:37Z",
+  "updated": "2026-02-07T06:10:59Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-25593",
+      "severity": "high",
+      "type": "vulnerable_skill",
+      "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
+      "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
+      "affected": [],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-02-06T21:16:17.790",
+      "references": [
+        "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
+      ],
+      "cvss_score": 8.4,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593"
+    },
     {
       "id": "CVE-2026-25475",
       "severity": "medium",
diff --git a/skills/clawsec-feed/advisories/feed.json b/skills/clawsec-feed/advisories/feed.json
index b24b16f..2beb15e 100644
--- a/skills/clawsec-feed/advisories/feed.json
+++ b/skills/clawsec-feed/advisories/feed.json
@@ -1,8 +1,23 @@
 {
   "version": "0.0.2",
-  "updated": "2026-02-05T12:53:37Z",
+  "updated": "2026-02-07T06:10:59Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-25593",
+      "severity": "high",
+      "type": "vulnerable_skill",
+      "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
+      "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
+      "affected": [],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-02-06T21:16:17.790",
+      "references": [
+        "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
+      ],
+      "cvss_score": 8.4,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593"
+    },
     {
       "id": "CVE-2026-25475",
       "severity": "medium",