OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script scripts/update-clawtributors.ts. The issue affects contributors/maintainers (or CI) who run bun scripts/update-clawtributors.ts in a source checkout that contains a malicious commit author email (e.g. crafted @users[.]noreply[.]github[.]com values). Normal CLI usage is not affected (npm i -g openclaw): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from git log author metadata and interpolated it into a shell command (via execSync). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.