Testing actual package implementations... Vulnerable: /root/.pruva/runs/ghsa-qrq5-wjgg-rvqw_20260219-192855/artifacts/openclaw-vulnerable/package/dist/plugins/install.js Fixed: /root/.pruva/runs/ghsa-qrq5-wjgg-rvqw_20260219-192855/artifacts/openclaw-fixed/package/dist/plugins/install.js ================================================================================ SIDE-BY-SIDE COMPARISON ================================================================================ Package: "@malicious/.." PluginId: ".." Vulnerable: ❌ ESCAPES /home/user/.openclaw Fixed: ✓ BLOCKED - invalid plugin name: reserved path segment Package: "@scope/" PluginId: "" Vulnerable: ✓ safe /home/user/.openclaw/extensions Fixed: ✓ BLOCKED - invalid plugin name: missing Package: "@scope/ " PluginId: "" Vulnerable: ✓ safe /home/user/.openclaw/extensions Fixed: ✓ BLOCKED - invalid plugin name: missing Package: "@scope/....//" PluginId: "" Vulnerable: ✓ safe /home/user/.openclaw/extensions Fixed: ✓ BLOCKED - invalid plugin name: missing Package: "@scope//.." PluginId: ".." Vulnerable: ❌ ESCAPES /home/user/.openclaw Fixed: ✓ BLOCKED - invalid plugin name: reserved path segment Package: ".." PluginId: ".." Vulnerable: ❌ ESCAPES /home/user/.openclaw Fixed: ✓ BLOCKED - invalid plugin name: reserved path segment Package: "." PluginId: "." Vulnerable: ✓ safe /home/user/.openclaw/extensions Fixed: ✓ BLOCKED - invalid plugin name: reserved path segment Package: "@scope/..\.." PluginId: "..\.." Vulnerable: ✓ safe /home/user/.openclaw/extensions/..\.. Fixed: ✓ BLOCKED - invalid plugin name: path separators not allowed Package: "@scope/。" PluginId: "。" Vulnerable: ✓ safe /home/user/.openclaw/extensions/。 Fixed: ✓ safe /home/user/.openclaw/extensions/。 Package: "@scope/%2e%2e" PluginId: "%2e%2e" Vulnerable: ✓ safe /home/user/.openclaw/extensions/%2e%2e Fixed: ✓ safe /home/user/.openclaw/extensions/%2e%2e Package: "@scope/" PluginId: "" Vulnerable: ✓ safe /home/user/.openclaw/extensions/ Fixed: ✓ safe /home/user/.openclaw/extensions/ Package: "@scope/ab" PluginId: "ab" Vulnerable: ✓ safe /home/user/.openclaw/extensions/ab Fixed: ✓ safe /home/user/.openclaw/extensions/ab Package: "@scope/.." PluginId: ".." Vulnerable: ✓ safe /home/user/.openclaw/extensions/.. Fixed: ✓ safe /home/user/.openclaw/extensions/.. ================================================================================ SUMMARY ================================================================================ Vulnerable escapes: 3 Bypasses found: 0 ✓ No bypasses found - fix is effective