Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug] Exec preflight flags $ in Python string literals as shell variable injection [2 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#67621Fetched 2026-04-17 08:30:02
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
0
Author
adlai88adlai88
Participants
adlai88adlai88martingarramonmartingarramon
Timeline (top)
cross-referenced ×2commented ×1referenced ×1

The exec preflight source-file scanner (security=full) flags $IDENTIFIER patterns inside Python string literals (docstrings, f-strings, argparse help text) as shell variable injection. This blocks execution of any Python skill that prints dollar-formatted output or uses $ as a currency label.

A simple, direct command triggers the block:

python3 ./skills/polymarket-copytrading/copytrading_trader.py --reactor --once

Error Message

exec preflight: detected likely shell variable injection ($SIM) in python script:
copytrading_trader.py:267.
In Python, use os.environ.get("SIM") instead of raw $SIM.
(If this is inside a string literal on purpose, escape it or restructure the code.)

Root Cause

The preflight regex matches $[A-Z_]+ in .py files without checking whether the match is inside a string literal. All occurrences in this file are inside Python strings:

LineContextType
267'sim': Execute on Simmer LMSR with $SIM (paper trading)Docstring
360Venue: 'sim' for $SIM paper trading, 'polymarket' for real USDCDocstring
934help="Trading venue: 'sim' for $SIM paper trading..."argparse help text
174f" Max per position: ${config['max_position_usd']:.2f}"f-string (dollar formatting)
377f" Max per position: ${max_usd:.2f}"f-string (dollar formatting)
434f" {status} {action} ... @ ${price:.3f} (${cost:.2f})"f-string (dollar formatting)
474f"@ ${price:.3f} to mirror whale positions"f-string (dollar formatting)
865f" Value: ${value:.2f} | P&L: ...${pnl:.2f}"f-string (dollar formatting)
869-870f"Total Value: ${total_value:.2f}" / f"Total P&L: ...${total_pnl:.2f}"f-string (dollar formatting)

None are shell variable references. None are inside os.system(), subprocess, or any execution context. The f-string pattern f"${var:.2f}" is standard Python for printing dollar-prefixed numbers.

Fix Action

Fix / Workaround

  • Blocks any financial/trading skill that prints dollar amounts (e.g. f"${cost:.2f}") or uses $ as a currency label
  • The scanner's own suggestion ("use os.environ.get("SIM") instead") is incorrect — $SIM here is a currency label, not an environment variable
  • No user-configurable workaround exists — security=full is the only mode between deny and allowlist that allows general exec, and there's no way to disable just the source-file scan
  • Affects published ClawHub skills that users can't easily modify

PR fix notes

PR #67644: fix: avoid python preflight false positives for $ tokens in string literals

Description (problem / solution / changelog)

## Summary

  • fix Python script preflight so $VAR detection only triggers outside Python string/comment ranges
  • keep Node.js behavior unchanged while preserving existing shell-injection blocking for true Python code paths
  • add regression tests for both the false-positive case (docstring/f-string/comment) and real injection case

Test plan

  • pnpm test src/agents/bash-tools.exec.script-preflight.test.ts

Closes #67621

Changed files

  • src/agents/bash-tools.exec.script-preflight.test.ts (modified, +57/-0)
  • src/agents/bash-tools.exec.ts (modified, +103/-8)

PR #67924: fix(exec): tolerate inside Python/JS string literals during preflight

Description (problem / solution / changelog)

Summary

The exec preflight scanner (security=full) was incorrectly flagging $VAR patterns inside Python and Node.js string literals as shell variable injection. This change adds a string-literal awareness helper so matches that occur inside single, double, or triple quoted strings are ignored, while still catching actual shell variable injection outside of string literals.

Changes

  • Added isInsideStringLiteral() helper in src/agents/bash-tools.exec.ts that tracks whether a given index falls inside a string literal (handles single quotes, double quotes, triple quotes, and escape sequences).
  • Updated the preflight scanner to skip $VAR matches that are inside string literals.
  • Added regression tests for both Python and Node.js scripts containing $VAR in docstrings, f-strings, and regular string literals.

Test plan

  • pnpm test src/agents/bash-tools.exec.script-preflight.test.ts passes (55 tests)
  • pnpm tsgo passes
  • pnpm oxlint on changed files passes

Related issue

Fixes #67621

Changed files

  • src/agents/bash-tools.exec.script-preflight.test.ts (modified, +49/-0)
  • src/agents/bash-tools.exec.ts (modified, +70/-5)

Code Example

python3 ./skills/polymarket-copytrading/copytrading_trader.py --reactor --once

---

exec preflight: detected likely shell variable injection ($SIM) in python script:
copytrading_trader.py:267.
In Python, use os.environ.get("SIM") instead of raw $SIM.
(If this is inside a string literal on purpose, escape it or restructure the code.)

---

security=full
ask=off

---

# test.pythis file is blocked by preflight
def main():
    cost = 42.50
    print(f"Total: ${cost:.2f}")  # standard dollar formatting

if __name__ == "__main__":
    main()

---

$ /exec security=full
$ python3 test.py
# → exec preflight: detected likely shell variable injection ($cost)
RAW_BUFFERClick to expand / collapse

Summary

The exec preflight source-file scanner (security=full) flags $IDENTIFIER patterns inside Python string literals (docstrings, f-strings, argparse help text) as shell variable injection. This blocks execution of any Python skill that prints dollar-formatted output or uses $ as a currency label.

A simple, direct command triggers the block:

python3 ./skills/polymarket-copytrading/copytrading_trader.py --reactor --once

Version

OpenClaw 2026.4.14 (323493f)

Error

exec preflight: detected likely shell variable injection ($SIM) in python script:
copytrading_trader.py:267.
In Python, use os.environ.get("SIM") instead of raw $SIM.
(If this is inside a string literal on purpose, escape it or restructure the code.)

Exec policy

security=full
ask=off

The issue only occurs with security=full. This is distinct from the "complex interpreter invocation" issues (#62467, #67270, #66128) — those are about command patterns. This is about the file content scanner.

Root cause

The preflight regex matches $[A-Z_]+ in .py files without checking whether the match is inside a string literal. All occurrences in this file are inside Python strings:

LineContextType
267'sim': Execute on Simmer LMSR with $SIM (paper trading)Docstring
360Venue: 'sim' for $SIM paper trading, 'polymarket' for real USDCDocstring
934help="Trading venue: 'sim' for $SIM paper trading..."argparse help text
174f" Max per position: ${config['max_position_usd']:.2f}"f-string (dollar formatting)
377f" Max per position: ${max_usd:.2f}"f-string (dollar formatting)
434f" {status} {action} ... @ ${price:.3f} (${cost:.2f})"f-string (dollar formatting)
474f"@ ${price:.3f} to mirror whale positions"f-string (dollar formatting)
865f" Value: ${value:.2f} | P&L: ...${pnl:.2f}"f-string (dollar formatting)
869-870f"Total Value: ${total_value:.2f}" / f"Total P&L: ...${total_pnl:.2f}"f-string (dollar formatting)

None are shell variable references. None are inside os.system(), subprocess, or any execution context. The f-string pattern f"${var:.2f}" is standard Python for printing dollar-prefixed numbers.

Impact

  • Blocks any financial/trading skill that prints dollar amounts (e.g. f"${cost:.2f}") or uses $ as a currency label
  • The scanner's own suggestion ("use os.environ.get("SIM") instead") is incorrect — $SIM here is a currency label, not an environment variable
  • No user-configurable workaround exists — security=full is the only mode between deny and allowlist that allows general exec, and there's no way to disable just the source-file scan
  • Affects published ClawHub skills that users can't easily modify

Suggested fix

The scanner should do one of:

  1. Execution-context check — only flag $IDENTIFIER patterns inside os.system(), subprocess.*, or similar execution calls. This matches the actual threat model (shell injection) and is the simplest correct fix.
  2. AST-aware check — parse the Python file and only flag $IDENTIFIER outside string literals. More thorough but f-string AST parsing has edge cases.
  3. Heuristic improvement — skip $ matches that are followed by { (f-string format spec, e.g. ${var:.2f}) or are inside triple-quoted strings.

Reproduction

Any .py file with $SIM or f"${variable:.2f}" inside a string literal will trigger the block when run via exec with security=full.

# test.py — this file is blocked by preflight
def main():
    cost = 42.50
    print(f"Total: ${cost:.2f}")  # standard dollar formatting

if __name__ == "__main__":
    main()
$ /exec security=full
$ python3 test.py
# → exec preflight: detected likely shell variable injection ($cost)

extent analysis

TL;DR

The issue can be resolved by modifying the exec preflight source-file scanner to correctly handle $IDENTIFIER patterns inside Python string literals.

Guidance

  • The scanner should be updated to perform an execution-context check, only flagging $IDENTIFIER patterns inside os.system(), subprocess.*, or similar execution calls.
  • Alternatively, an AST-aware check can be implemented to parse the Python file and only flag $IDENTIFIER outside string literals.
  • A heuristic improvement can also be applied to skip $ matches that are followed by { (f-string format spec) or are inside triple-quoted strings.
  • To verify the fix, test the updated scanner with the provided test.py file and ensure that it no longer triggers the block when run via exec with security=full.

Example

# test.py — this file should not be blocked by the updated preflight
def main():
    cost = 42.50
    print(f"Total: ${cost:.2f}")  # standard dollar formatting

if __name__ == "__main__":
    main()

Notes

The suggested fixes require modifications to the exec preflight source-file scanner, which may involve updates to the underlying code or configuration. The choice of fix depends on the specific requirements and constraints of the system.

Recommendation

Apply a heuristic improvement to skip $ matches that are followed by { (f-string format spec) or are inside triple-quoted strings, as this is a simpler and more targeted solution that addresses the specific issue at hand.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#environment variable#logging issue#authentication issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING