[GHSA-943q-mwmv-hhvh] OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval

[OstensibleParadox]

Updates

• References

Comments
Request: add @OstensibleParadox to Credits as Reporter (or Co-reporter) for the HTTP /tools/invoke parity sub-issue (missing before_tool_call interposition on HTTP path).

Rationale (UTC):

• GHSA-943q was published on 2026-02-14 (GitHub Advisory Database publish: 2026-03-02) and references ee31cd4, bb1c3dfe1, 539689a2f, 153a7644e.
• The parity sub-issue was privately disclosed on 2026-03-11 08:46:06 UTC.
• Maintainer reply acknowledging parity bug was sent on 2026-03-11 14:49:14 UTC.
• The parity issue was fixed in commit 8cc0c9baf at 2026-03-11 20:18:24 UTC.
• Commit 8cc0c9baf is not listed in GHSA-943q references, so this attribution is currently incomplete.

This request is attribution-only and does not request severity or ownership changes.

[github]

Hi there @steipete! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[OstensibleParadox]

Attribution-only clarification (no severity or scope change requested):

The HTTP parity sub-issue (/tools/invoke missing before_tool_call interposition) was privately disclosed on 2026-03-11 08:46:06 UTC, acknowledged by maintainer reply at 2026-03-11 14:49:14 UTC, and fixed in commit 8cc0c9baf at 2026-03-11 20:18:24 UTC.

This specific sub-issue was not part of the original 2026-02-14 GHSA publication text and the fixing commit is currently not referenced in GHSA-943q credits.

Request: add @OstensibleParadox in Credits as Reporter (or Co-reporter) for this sub-issue, without changing advisory severity.