Skip to content

[SECURITY] Unauthenticated admin bypass via include_unreviewed query parameter #7

New issue
New issue
Open
Open
[SECURITY] Unauthenticated admin bypass via include_unreviewed query parameter#7
@aliceQWAS

Description

@aliceQWAS
aliceQWAS
opened on Mar 16, 2026

Description

The /skills/search endpoint accepts an include_unreviewed query parameter that exposes skills pending safety review to any unauthenticated caller. No authentication or authorization check gates this parameter.

In server/src/routes/search.ts:22:

const includeUnreviewed = url.searchParams.get("include_unreviewed") === "true";

When include_unreviewed=true, the SQL filter changes from requiring review_status = 'approved' to also including review_status = 'pending', making unvetted skills visible in search results.

The parameter name implies admin intent, but any anonymous HTTP request can set it. This allows an attacker to:

  • View skills that are pending safety review, including potentially malicious code that has not been vetted
  • Discover internal or sensitive skills before they are approved for public visibility
  • Use the marketplace as a staging area: publish a skill and immediately retrieve it before review completes

Steps to reproduce

  1. Start the marketplace server with at least one skill in pending review status.

  2. Normal search hides pending skills:

    curl -s 'http://localhost:4402/skills/search?q=secret'
# Returns: 0 results (pending skills hidden)

  3. Add include_unreviewed=true to reveal them:

    curl -s 'http://localhost:4402/skills/search?q=secret&include_unreviewed=true'
# Returns: pending skills visible (e.g., "secret-internal-api" with reviewStatus="pending")

  4. Browse all skills with and without the parameter:

    curl -s 'http://localhost:4402/skills/search'
# Returns: 2 skills (approved only)

curl -s 'http://localhost:4402/skills/search?include_unreviewed=true'
# Returns: 3 skills (approved + pending)

  5. Confirm it works across all search modes (query, tags, browse-all):

    curl -s 'http://localhost:4402/skills/search?tags=internal&include_unreviewed=true'
# Returns: pending skills with matching tags

Expected behavior

The include_unreviewed parameter should require admin authentication. Unauthenticated callers should only see skills with review_status = 'approved'.

Version

OpenClaw Foundry v0.2.3 (commit ef58717)

Severity

High

The bypass is unauthenticated and trivial (append a query parameter). It exposes unvetted skills that may contain malicious code to all users. In the context of a marketplace where agents install and execute skills, exposing unreviewed code undermines the entire safety review pipeline.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions