From 9ae2efa2f7a5e67523656199c6784fcfdde8ceb7 Mon Sep 17 00:00:00 2001
From: davida-ps <232346510+davida-ps@users.noreply.github.com>
Date: Sun, 8 Feb 2026 06:16:29 +0000
Subject: [PATCH] chore: CVE advisories - 1 new, 0 updated

Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot
Poll window: 2026-02-05T12:53:37Z to 2026-02-08T06:16:10.000Z
---
 advisories/feed.json                     | 17 ++++++++++++++++-
 skills/clawsec-feed/advisories/feed.json | 17 ++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/advisories/feed.json b/advisories/feed.json
index b24b16f..aec4ea2 100644
--- a/advisories/feed.json
+++ b/advisories/feed.json
@@ -1,8 +1,23 @@
 {
   "version": "0.0.2",
-  "updated": "2026-02-05T12:53:37Z",
+  "updated": "2026-02-08T06:16:28Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-25593",
+      "severity": "high",
+      "type": "vulnerable_skill",
+      "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
+      "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
+      "affected": [],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-02-06T21:16:17.790",
+      "references": [
+        "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
+      ],
+      "cvss_score": 8.4,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593"
+    },
     {
       "id": "CVE-2026-25475",
       "severity": "medium",
diff --git a/skills/clawsec-feed/advisories/feed.json b/skills/clawsec-feed/advisories/feed.json
index b24b16f..aec4ea2 100644
--- a/skills/clawsec-feed/advisories/feed.json
+++ b/skills/clawsec-feed/advisories/feed.json
@@ -1,8 +1,23 @@
 {
   "version": "0.0.2",
-  "updated": "2026-02-05T12:53:37Z",
+  "updated": "2026-02-08T06:16:28Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-25593",
+      "severity": "high",
+      "type": "vulnerable_skill",
+      "title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
+      "description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
+      "affected": [],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-02-06T21:16:17.790",
+      "references": [
+        "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
+      ],
+      "cvss_score": 8.4,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593"
+    },
     {
       "id": "CVE-2026-25475",
       "severity": "medium",