OpenClaw v2026.5.3 Ships File Transfer Plugin: Binary File Ops Add New Attack Surface

OpenClaw v2026.5.3 adds a bundled file transfer plugin with file_fetch, dir_list, dir_fetch, file_write tools enabling binary file ops between paired nodes with 16MB limit. Default-deny path policy mitigates risk but expands attack surface for misconfigured instances.

Product Idea from this Signal

A CLI tool that audits OpenClaw file transfer plugin configurations and blocks unsafe binary operations before they execute

387.0k ▲

OpenClaw v2026.5.3 shipped a file transfer plugin with file_fetch, dir_list, dir_fetch, and file_write tools that enable binary file operations between paired agent nodes with a 16MB per-round-trip ceiling. While it ships with a default-deny path policy, misconfigured instances expose the full filesystem to agent-controlled binary writes. With 245,000 publicly accessible OpenClaw instances (Shodan + ZoomEye May 2026) and 433 CVEs in 164 days, a dedicated auditor for file transfer policies fills a gap the built-in security audit command doesn't cover yet.

CLISECURITYOPEN-SOURCEDEVTOOL

CompetitiveView Opportunity →