Bug type

Behavior bug (incorrect output/state without crash)

Summary

The helper function hasExplicitProviderAccountConfig (in src/security/audit-channel.ts) uses the JavaScript in operator to check whether a given accountId exists in the accounts configuration object. The in operator also traverses the object's prototype chain, meaning that if an attacker can supply a specially crafted accountId (e.g., __proto__ or constructor), the check will erroneously return true even though no such account is actually configured.

This behavior can cause the security audit to misclassify the configuration, potentially suppressing legitimate warnings or treating non‑existent accounts as explicitly configured, which may weaken security guarantees.

Steps to reproduce

Because this issue is reported publicly and I consider it a proactive hardening measure rather than an actively exploited vulnerability, I deliberately refrain from publishing exact exploit steps or proof‑of‑concept code. The goal is to raise the bar for potential adversaries while giving maintainers and advanced users enough information to understand the rationale behind the change.

Expected behavior

There should not be a security issue.

Actual behavior

There is a potential security issue.

OpenClaw version

Latest

Operating system

All operating systems

Install method

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response