fix(infra): harden tmp dir selection

CHANGELOG.md

@@ -75,6 +75,8 @@ Docs: https://docs.openclaw.ai
 - Security/Gateway: breaking default-behavior change - canvas IP-based auth fallback now only accepts machine-scoped addresses (RFC1918, link-local, ULA IPv6, CGNAT); public-source IP matches now require bearer token auth. (#14661) Thanks @sumleo.
 - Security/Link understanding: block loopback/internal host patterns and private/mapped IPv6 addresses in extracted URL handling to close SSRF bypasses in link CLI flows. (#15604) Thanks @AI-Reviewer-QS.
 - Security/Browser: constrain `POST /trace/stop`, `POST /wait/download`, and `POST /download` output paths to OpenClaw temp roots and reject traversal/escape paths.
+- Security/Browser: sanitize download `suggestedFilename` to keep implicit `wait/download` paths within the downloads root. Thanks @1seal.
+- Security/Browser: confine `POST /hooks/file-chooser` upload paths to an OpenClaw temp uploads root and reject traversal/escape paths. Thanks @1seal.
 - Security/Canvas: serve A2UI assets via the shared safe-open path (`openFileWithinRoot`) to close traversal/TOCTOU gaps, with traversal and symlink regression coverage. (#10525) Thanks @abdelsfane.
 - Security/WhatsApp: enforce `0o600` on `creds.json` and `creds.json.bak` on save/backup/restore paths to reduce credential file exposure. (#10529) Thanks @abdelsfane.
 - Security/Gateway: sanitize and truncate untrusted WebSocket header values in pre-handshake close logs to reduce log-poisoning risk. Thanks @thewilloftheshadow.

docs/tools/browser.md

@@ -411,7 +411,7 @@ Actions:
 - `openclaw browser select 9 OptionA OptionB`
 - `openclaw browser download e12 report.pdf`
 - `openclaw browser waitfordownload report.pdf`
-- `openclaw browser upload /tmp/file.pdf`
+- `openclaw browser upload /tmp/openclaw/uploads/file.pdf`
 - `openclaw browser fill --fields '[{"ref":"1","type":"text","value":"Ada"}]'`
 - `openclaw browser dialog --accept`
 - `openclaw browser wait --text "Done"`
@@ -447,6 +447,8 @@ Notes:
 - Download and trace output paths are constrained to OpenClaw temp roots:
   - traces: `/tmp/openclaw` (fallback: `${os.tmpdir()}/openclaw`)
   - downloads: `/tmp/openclaw/downloads` (fallback: `${os.tmpdir()}/openclaw/downloads`)
+- Upload paths are constrained to an OpenClaw temp uploads root:
+  - uploads: `/tmp/openclaw/uploads` (fallback: `${os.tmpdir()}/openclaw/uploads`)
 - `upload` can also set file inputs directly via `--input-ref` or `--element`.
 - `snapshot`:
   - `--format ai` (default when Playwright is installed): returns an AI snapshot with numeric refs (`aria-ref="<n>"`).

src/agents/tools/browser-tool.ts

@@ -21,6 +21,7 @@ import {
 } from "../../browser/client.js";
 import { resolveBrowserConfig } from "../../browser/config.js";
 import { DEFAULT_AI_SNAPSHOT_MAX_CHARS } from "../../browser/constants.js";
+import { DEFAULT_UPLOAD_DIR, resolvePathsWithinRoot } from "../../browser/paths.js";
 import { loadConfig } from "../../config/config.js";
 import { saveMediaBuffer } from "../../media/store.js";
 import { wrapExternalContent } from "../../security/external-content.js";
@@ -724,6 +725,15 @@ export function createBrowserTool(opts?: {
           if (paths.length === 0) {
             throw new Error("paths required");
           }
+          const uploadPathsResult = resolvePathsWithinRoot({
+            rootDir: DEFAULT_UPLOAD_DIR,
+            requestedPaths: paths,
+            scopeLabel: `uploads directory (${DEFAULT_UPLOAD_DIR})`,
+          });
+          if (!uploadPathsResult.ok) {
+            throw new Error(uploadPathsResult.error);
+          }
+          const normalizedPaths = uploadPathsResult.paths;
           const ref = readStringParam(params, "ref");
           const inputRef = readStringParam(params, "inputRef");
           const element = readStringParam(params, "element");
@@ -738,7 +748,7 @@ export function createBrowserTool(opts?: {
               path: "/hooks/file-chooser",
               profile,
               body: {
-                paths,
+                paths: normalizedPaths,
                 ref,
                 inputRef,
                 element,
@@ -750,7 +760,7 @@ export function createBrowserTool(opts?: {
           }
           return jsonResult(
             await browserArmFileChooser(baseUrl, {
-              paths,
+              paths: normalizedPaths,
               ref,
               inputRef,
               element,

src/browser/paths.ts

@@ -0,0 +1,49 @@
+import path from "node:path";
+import { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
+
+export const DEFAULT_BROWSER_TMP_DIR = resolvePreferredOpenClawTmpDir();
+export const DEFAULT_TRACE_DIR = DEFAULT_BROWSER_TMP_DIR;
+export const DEFAULT_DOWNLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "downloads");
+export const DEFAULT_UPLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "uploads");
+
+export function resolvePathWithinRoot(params: {
+  rootDir: string;
+  requestedPath: string;
+  scopeLabel: string;
+  defaultFileName?: string;
+}): { ok: true; path: string } | { ok: false; error: string } {
+  const root = path.resolve(params.rootDir);
+  const raw = params.requestedPath.trim();
+  if (!raw) {
+    if (!params.defaultFileName) {
+      return { ok: false, error: "path is required" };
+    }
+    return { ok: true, path: path.join(root, params.defaultFileName) };
+  }
+  const resolved = path.resolve(root, raw);
+  const rel = path.relative(root, resolved);
+  if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
+    return { ok: false, error: `Invalid path: must stay within ${params.scopeLabel}` };
+  }
+  return { ok: true, path: resolved };
+}
+
+export function resolvePathsWithinRoot(params: {
+  rootDir: string;
+  requestedPaths: string[];
+  scopeLabel: string;
+}): { ok: true; paths: string[] } | { ok: false; error: string } {
+  const resolvedPaths: string[] = [];
+  for (const raw of params.requestedPaths) {
+    const pathResult = resolvePathWithinRoot({
+      rootDir: params.rootDir,
+      requestedPath: raw,
+      scopeLabel: params.scopeLabel,
+    });
+    if (!pathResult.ok) {
+      return { ok: false, error: pathResult.error };
+    }
+    resolvedPaths.push(pathResult.path);
+  }
+  return { ok: true, paths: resolvedPaths };
+}

src/browser/pw-tools-core.downloads.ts

@@ -18,9 +18,38 @@ import {
   toAIFriendlyError,
 } from "./pw-tools-core.shared.js";
 
+function sanitizeDownloadFileName(fileName: string): string {
+  const trimmed = String(fileName ?? "").trim();
+  if (!trimmed) {
+    return "download.bin";
+  }
+
+  // `suggestedFilename()` is untrusted (influenced by remote servers). Force a basename so
+  // path separators/traversal can't escape the downloads dir on any platform.
+  let base = path.posix.basename(trimmed);
+  base = path.win32.basename(base);
+  let cleaned = "";
+  for (let i = 0; i < base.length; i++) {
+    const code = base.charCodeAt(i);
+    if (code < 0x20 || code === 0x7f) {
+      continue;
+    }
+    cleaned += base[i];
+  }
+  base = cleaned.trim();
+
+  if (!base || base === "." || base === "..") {
+    return "download.bin";
+  }
+  if (base.length > 200) {
+    base = base.slice(0, 200);
+  }
+  return base;
+}
+
 function buildTempDownloadPath(fileName: string): string {
   const id = crypto.randomUUID();
-  const safeName = fileName.trim() ? fileName.trim() : "download.bin";
+  const safeName = sanitizeDownloadFileName(fileName);
   return path.join(resolvePreferredOpenClawTmpDir(), "downloads", `${id}-${safeName}`);
 }
 

src/browser/pw-tools-core.waits-next-download-saves-it.test.ts

@@ -171,6 +171,46 @@ describe("pw-tools-core", () => {
     expect(path.normalize(res.path)).toContain(path.normalize(expectedDownloadsTail));
     expect(tmpDirMocks.resolvePreferredOpenClawTmpDir).toHaveBeenCalled();
   });
+
+  it("sanitizes suggested download filenames to prevent traversal escapes", async () => {
+    let downloadHandler: ((download: unknown) => void) | undefined;
+    const on = vi.fn((event: string, handler: (download: unknown) => void) => {
+      if (event === "download") {
+        downloadHandler = handler;
+      }
+    });
+    const off = vi.fn();
+
+    const saveAs = vi.fn(async () => {});
+    const download = {
+      url: () => "https://example.com/evil",
+      suggestedFilename: () => "../../../../etc/passwd",
+      saveAs,
+    };
+
+    tmpDirMocks.resolvePreferredOpenClawTmpDir.mockReturnValue("/tmp/openclaw-preferred");
+    currentPage = { on, off };
+
+    const p = mod.waitForDownloadViaPlaywright({
+      cdpUrl: "http://127.0.0.1:18792",
+      targetId: "T1",
+      timeoutMs: 1000,
+    });
+
+    await Promise.resolve();
+    downloadHandler?.(download);
+
+    const res = await p;
+    const outPath = vi.mocked(saveAs).mock.calls[0]?.[0];
+    expect(typeof outPath).toBe("string");
+    expect(path.dirname(String(outPath))).toBe(
+      path.join(path.sep, "tmp", "openclaw-preferred", "downloads"),
+    );
+    expect(path.basename(String(outPath))).toMatch(/-passwd$/);
+    expect(path.normalize(res.path)).toContain(
+      path.normalize(`${path.join("tmp", "openclaw-preferred", "downloads")}${path.sep}`),
+    );
+  });
   it("waits for a matching response and returns its body", async () => {
     let responseHandler: ((resp: unknown) => void) | undefined;
     const on = vi.fn((event: string, handler: (resp: unknown) => void) => {

src/browser/routes/agent.act.ts

@@ -14,7 +14,12 @@ import {
   resolveProfileContext,
   SELECTOR_UNSUPPORTED_MESSAGE,
 } from "./agent.shared.js";
-import { DEFAULT_DOWNLOAD_DIR, resolvePathWithinRoot } from "./path-output.js";
+import {
+  DEFAULT_DOWNLOAD_DIR,
+  DEFAULT_UPLOAD_DIR,
+  resolvePathWithinRoot,
+  resolvePathsWithinRoot,
+} from "./path-output.js";
 import { jsonError, toBoolean, toNumber, toStringArray, toStringOrEmpty } from "./utils.js";
 
 export function registerBrowserAgentActRoutes(
@@ -355,6 +360,17 @@ export function registerBrowserAgentActRoutes(
       return jsonError(res, 400, "paths are required");
     }
     try {
+      const uploadPathsResult = resolvePathsWithinRoot({
+        rootDir: DEFAULT_UPLOAD_DIR,
+        requestedPaths: paths,
+        scopeLabel: `uploads directory (${DEFAULT_UPLOAD_DIR})`,
+      });
+      if (!uploadPathsResult.ok) {
+        res.status(400).json({ error: uploadPathsResult.error });
+        return;
+      }
+      const resolvedPaths = uploadPathsResult.paths;
+
       const tab = await profileCtx.ensureTabAvailable(targetId);
       const pw = await requirePwAi(res, "file chooser hook");
       if (!pw) {
@@ -369,13 +385,13 @@ export function registerBrowserAgentActRoutes(
           targetId: tab.targetId,
           inputRef,
           element,
-          paths,
+          paths: resolvedPaths,
         });
       } else {
         await pw.armFileUploadViaPlaywright({
           cdpUrl: profileCtx.profile.cdpUrl,
           targetId: tab.targetId,
-          paths,
+          paths: resolvedPaths,
           timeoutMs: timeoutMs ?? undefined,
         });
         if (ref) {

src/browser/routes/path-output.ts

@@ -1,28 +1 @@
-import path from "node:path";
-import { resolvePreferredOpenClawTmpDir } from "../../infra/tmp-openclaw-dir.js";
-
-export const DEFAULT_BROWSER_TMP_DIR = resolvePreferredOpenClawTmpDir();
-export const DEFAULT_TRACE_DIR = DEFAULT_BROWSER_TMP_DIR;
-export const DEFAULT_DOWNLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "downloads");
-
-export function resolvePathWithinRoot(params: {
-  rootDir: string;
-  requestedPath: string;
-  scopeLabel: string;
-  defaultFileName?: string;
-}): { ok: true; path: string } | { ok: false; error: string } {
-  const root = path.resolve(params.rootDir);
-  const raw = params.requestedPath.trim();
-  if (!raw) {
-    if (!params.defaultFileName) {
-      return { ok: false, error: "path is required" };
-    }
-    return { ok: true, path: path.join(root, params.defaultFileName) };
-  }
-  const resolved = path.resolve(root, raw);
-  const rel = path.relative(root, resolved);
-  if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
-    return { ok: false, error: `Invalid path: must stay within ${params.scopeLabel}` };
-  }
-  return { ok: true, path: resolved };
-}
+export * from "../paths.js";

src/browser/server.agent-contract-form-layout-act-commands.test.ts

@@ -1,6 +1,8 @@
 import { type AddressInfo, createServer } from "node:net";
+import path from "node:path";
 import { fetch as realFetch } from "undici";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { DEFAULT_UPLOAD_DIR } from "./routes/path-output.js";
 
 let testPort = 0;
 let cdpBaseUrl = "";
@@ -399,35 +401,55 @@ describe("browser control server", () => {
   it("agent contract: hooks + response + downloads + screenshot", async () => {
     const base = await startServerAndBase();
 
+    const uploadA = path.join(DEFAULT_UPLOAD_DIR, "a.txt");
     const upload = await postJson(`${base}/hooks/file-chooser`, {
-      paths: ["/tmp/a.txt"],
+      paths: [uploadA],
       timeoutMs: 1234,
     });
     expect(upload).toMatchObject({ ok: true });
     expect(pwMocks.armFileUploadViaPlaywright).toHaveBeenCalledWith({
       cdpUrl: cdpBaseUrl,
       targetId: "abcd1234",
-      paths: ["/tmp/a.txt"],
+      paths: [uploadA],
       timeoutMs: 1234,
     });
 
+    const uploadB = path.join(DEFAULT_UPLOAD_DIR, "b.txt");
     const uploadWithRef = await postJson(`${base}/hooks/file-chooser`, {
-      paths: ["/tmp/b.txt"],
+      paths: [uploadB],
       ref: "e12",
     });
     expect(uploadWithRef).toMatchObject({ ok: true });
 
+    const uploadC = path.join(DEFAULT_UPLOAD_DIR, "c.txt");
     const uploadWithInputRef = await postJson(`${base}/hooks/file-chooser`, {
-      paths: ["/tmp/c.txt"],
+      paths: [uploadC],
       inputRef: "e99",
     });
     expect(uploadWithInputRef).toMatchObject({ ok: true });
+    expect(pwMocks.setInputFilesViaPlaywright).toHaveBeenCalledWith(
+      expect.objectContaining({
+        cdpUrl: cdpBaseUrl,
+        targetId: "abcd1234",
+        inputRef: "e99",
+        paths: [uploadC],
+      }),
+    );
 
+    const uploadD = path.join(DEFAULT_UPLOAD_DIR, "d.txt");
     const uploadWithElement = await postJson(`${base}/hooks/file-chooser`, {
-      paths: ["/tmp/d.txt"],
+      paths: [uploadD],
       element: "input[type=file]",
     });
     expect(uploadWithElement).toMatchObject({ ok: true });
+    expect(pwMocks.setInputFilesViaPlaywright).toHaveBeenCalledWith(
+      expect.objectContaining({
+        cdpUrl: cdpBaseUrl,
+        targetId: "abcd1234",
+        element: "input[type=file]",
+        paths: [uploadD],
+      }),
+    );
 
     const dialog = await postJson(`${base}/hooks/dialog`, {
       accept: true,
@@ -492,6 +514,15 @@ describe("browser control server", () => {
     expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("trace stop rejects absolute path outside trace dir", async () => {
+    const base = await startServerAndBase();
+    const res = await postJson<{ error?: string }>(`${base}/trace/stop`, {
+      path: path.resolve("/", "pwned.zip"),
+    });
+    expect(res.error).toContain("Invalid path");
+    expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("trace stop accepts in-root relative output path", async () => {
     const base = await startServerAndBase();
     const res = await postJson<{ ok?: boolean; path?: string }>(`${base}/trace/stop`, {
@@ -508,6 +539,27 @@ describe("browser control server", () => {
     );
   });
 
+  it("hooks/file-chooser rejects traversal path outside uploads dir", async () => {
+    const base = await startServerAndBase();
+    const res = await postJson<{ error?: string }>(`${base}/hooks/file-chooser`, {
+      paths: ["../../pwned.txt"],
+    });
+    expect(res.error).toContain("Invalid path");
+    expect(pwMocks.armFileUploadViaPlaywright).not.toHaveBeenCalled();
+    expect(pwMocks.setInputFilesViaPlaywright).not.toHaveBeenCalled();
+  });
+
+  it("hooks/file-chooser rejects absolute path outside uploads dir", async () => {
+    const base = await startServerAndBase();
+    const outside = path.resolve(DEFAULT_UPLOAD_DIR, "..", "..", "pwned.txt");
+    const res = await postJson<{ error?: string }>(`${base}/hooks/file-chooser`, {
+      paths: [outside],
+    });
+    expect(res.error).toContain("Invalid path");
+    expect(pwMocks.armFileUploadViaPlaywright).not.toHaveBeenCalled();
+    expect(pwMocks.setInputFilesViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("wait/download rejects traversal path outside downloads dir", async () => {
     const base = await startServerAndBase();
     const waitRes = await postJson<{ error?: string }>(`${base}/wait/download`, {
@@ -517,6 +569,15 @@ describe("browser control server", () => {
     expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("wait/download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const waitRes = await postJson<{ error?: string }>(`${base}/wait/download`, {
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(waitRes.error).toContain("Invalid path");
+    expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("download rejects traversal path outside downloads dir", async () => {
     const base = await startServerAndBase();
     const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
@@ -527,6 +588,16 @@ describe("browser control server", () => {
     expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
   });
 
+  it("download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
+      ref: "e12",
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(downloadRes.error).toContain("Invalid path");
+    expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
   it("wait/download accepts in-root relative output path", async () => {
     const base = await startServerAndBase();
     const res = await postJson<{ ok?: boolean; download?: { path?: string } }>(

src/cli/browser-cli-actions-input/register.files-downloads.ts

@@ -1,10 +1,23 @@
 import type { Command } from "commander";
+import { DEFAULT_UPLOAD_DIR, resolvePathsWithinRoot } from "../../browser/paths.js";
 import { danger } from "../../globals.js";
 import { defaultRuntime } from "../../runtime.js";
 import { shortenHomePath } from "../../utils.js";
 import { callBrowserRequest, type BrowserParentOpts } from "../browser-cli-shared.js";
 import { resolveBrowserActionContext } from "./shared.js";
 
+function normalizeUploadPaths(paths: string[]): string[] {
+  const result = resolvePathsWithinRoot({
+    rootDir: DEFAULT_UPLOAD_DIR,
+    requestedPaths: paths,
+    scopeLabel: `uploads directory (${DEFAULT_UPLOAD_DIR})`,
+  });
+  if (!result.ok) {
+    throw new Error(result.error);
+  }
+  return result.paths;
+}
+
 export function registerBrowserFilesAndDownloadsCommands(
   browser: Command,
   parentOpts: (cmd: Command) => BrowserParentOpts,
@@ -12,7 +25,10 @@ export function registerBrowserFilesAndDownloadsCommands(
   browser
     .command("upload")
     .description("Arm file upload for the next file chooser")
-    .argument("<paths...>", "File paths to upload")
+    .argument(
+      "<paths...>",
+      "File paths to upload (must be within OpenClaw temp uploads dir, e.g. /tmp/openclaw/uploads/file.pdf)",
+    )
     .option("--ref <ref>", "Ref id from snapshot to click after arming")
     .option("--input-ref <ref>", "Ref id for <input type=file> to set directly")
     .option("--element <selector>", "CSS selector for <input type=file>")
@@ -25,6 +41,7 @@ export function registerBrowserFilesAndDownloadsCommands(
     .action(async (paths: string[], opts, cmd) => {
       const { parent, profile } = resolveBrowserActionContext(cmd, parentOpts);
       try {
+        const normalizedPaths = normalizeUploadPaths(paths);
         const timeoutMs = Number.isFinite(opts.timeoutMs) ? opts.timeoutMs : undefined;
         const result = await callBrowserRequest<{ download: { path: string } }>(
           parent,
@@ -33,7 +50,7 @@ export function registerBrowserFilesAndDownloadsCommands(
             path: "/hooks/file-chooser",
             query: profile ? { profile } : undefined,
             body: {
-              paths,
+              paths: normalizedPaths,
               ref: opts.ref?.trim() || undefined,
               inputRef: opts.inputRef?.trim() || undefined,
               element: opts.element?.trim() || undefined,

src/cli/browser-cli-examples.ts

@@ -24,7 +24,7 @@ export const browserActionExamples = [
   "openclaw browser hover 44",
   "openclaw browser drag 10 11",
   "openclaw browser select 9 OptionA OptionB",
-  "openclaw browser upload /tmp/file.pdf",
+  "openclaw browser upload /tmp/openclaw/uploads/file.pdf",
   'openclaw browser fill --fields \'[{"ref":"1","value":"Ada"}]\'',
   "openclaw browser dialog --accept",
   'openclaw browser wait --text "Done"',

src/infra/tmp-openclaw-dir.test.ts

@@ -5,12 +5,25 @@ import { POSIX_OPENCLAW_TMP_DIR, resolvePreferredOpenClawTmpDir } from "./tmp-op
 describe("resolvePreferredOpenClawTmpDir", () => {
   it("prefers /tmp/openclaw when it already exists and is writable", () => {
     const accessSync = vi.fn();
-    const statSync = vi.fn(() => ({ isDirectory: () => true }));
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40700,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
     const tmpdir = vi.fn(() => "/var/fallback");
 
-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
 
-    expect(statSync).toHaveBeenCalledTimes(1);
+    expect(lstatSync).toHaveBeenCalledTimes(1);
     expect(accessSync).toHaveBeenCalledTimes(1);
     expect(resolved).toBe(POSIX_OPENCLAW_TMP_DIR);
     expect(tmpdir).not.toHaveBeenCalled();
@@ -18,28 +31,63 @@ describe("resolvePreferredOpenClawTmpDir", () => {
 
   it("prefers /tmp/openclaw when it does not exist but /tmp is writable", () => {
     const accessSync = vi.fn();
-    const statSync = vi.fn(() => {
+    const lstatSync = vi.fn(() => {
       const err = new Error("missing") as Error & { code?: string };
       err.code = "ENOENT";
       throw err;
     });
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
     const tmpdir = vi.fn(() => "/var/fallback");
 
-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    // second lstat call (after mkdir) should succeed
+    lstatSync.mockImplementationOnce(() => {
+      const err = new Error("missing") as Error & { code?: string };
+      err.code = "ENOENT";
+      throw err;
+    });
+    lstatSync.mockImplementationOnce(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40700,
+    }));
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
 
     expect(resolved).toBe(POSIX_OPENCLAW_TMP_DIR);
     expect(accessSync).toHaveBeenCalledWith("/tmp", expect.any(Number));
+    expect(mkdirSync).toHaveBeenCalledWith(POSIX_OPENCLAW_TMP_DIR, expect.any(Object));
     expect(tmpdir).not.toHaveBeenCalled();
   });
 
   it("falls back to os.tmpdir()/openclaw when /tmp/openclaw is not a directory", () => {
     const accessSync = vi.fn();
-    const statSync = vi.fn(() => ({ isDirectory: () => false }));
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => false,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o100644,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
     const tmpdir = vi.fn(() => "/var/fallback");
 
-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
 
-    expect(resolved).toBe(path.join("/var/fallback", "openclaw"));
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
     expect(tmpdir).toHaveBeenCalledTimes(1);
   });
 
@@ -49,16 +97,96 @@ describe("resolvePreferredOpenClawTmpDir", () => {
         throw new Error("read-only");
       }
     });
-    const statSync = vi.fn(() => {
+    const lstatSync = vi.fn(() => {
       const err = new Error("missing") as Error & { code?: string };
       err.code = "ENOENT";
       throw err;
     });
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
     const tmpdir = vi.fn(() => "/var/fallback");
 
-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
 
-    expect(resolved).toBe(path.join("/var/fallback", "openclaw"));
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is a symlink", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => true,
+      uid: 501,
+      mode: 0o120777,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is not owned by the current user", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 0,
+      mode: 0o40700,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is group/other writable", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40777,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
     expect(tmpdir).toHaveBeenCalledTimes(1);
   });
 });

src/infra/tmp-openclaw-dir.ts

@@ -6,7 +6,14 @@ export const POSIX_OPENCLAW_TMP_DIR = "/tmp/openclaw";
 
 type ResolvePreferredOpenClawTmpDirOptions = {
   accessSync?: (path: string, mode?: number) => void;
-  statSync?: (path: string) => { isDirectory(): boolean };
+  lstatSync?: (path: string) => {
+    isDirectory(): boolean;
+    isSymbolicLink(): boolean;
+    mode?: number;
+    uid?: number;
+  };
+  mkdirSync?: (path: string, opts: { recursive: boolean; mode?: number }) => void;
+  getuid?: () => number | undefined;
   tmpdir?: () => string;
 };
 
@@ -25,26 +32,73 @@ export function resolvePreferredOpenClawTmpDir(
   options: ResolvePreferredOpenClawTmpDirOptions = {},
 ): string {
   const accessSync = options.accessSync ?? fs.accessSync;
-  const statSync = options.statSync ?? fs.statSync;
+  const lstatSync = options.lstatSync ?? fs.lstatSync;
+  const mkdirSync = options.mkdirSync ?? fs.mkdirSync;
+  const getuid =
+    options.getuid ??
+    (() => {
+      try {
+        return typeof process.getuid === "function" ? process.getuid() : undefined;
+      } catch {
+        return undefined;
+      }
+    });
   const tmpdir = options.tmpdir ?? os.tmpdir;
+  const uid = getuid();
+
+  const isSecureDirForUser = (st: { mode?: number; uid?: number }): boolean => {
+    if (uid === undefined) {
+      return true;
+    }
+    if (typeof st.uid === "number" && st.uid !== uid) {
+      return false;
+    }
+    // Avoid group/other writable dirs when running on multi-user hosts.
+    if (typeof st.mode === "number" && (st.mode & 0o022) !== 0) {
+      return false;
+    }
+    return true;
+  };
+
+  const fallback = (): string => {
+    const base = tmpdir();
+    const suffix = uid === undefined ? "openclaw" : `openclaw-${uid}`;
+    return path.join(base, suffix);
+  };
 
   try {
-    const preferred = statSync(POSIX_OPENCLAW_TMP_DIR);
-    if (!preferred.isDirectory()) {
-      return path.join(tmpdir(), "openclaw");
+    const preferred = lstatSync(POSIX_OPENCLAW_TMP_DIR);
+    if (!preferred.isDirectory() || preferred.isSymbolicLink()) {
+      return fallback();
     }
     accessSync(POSIX_OPENCLAW_TMP_DIR, fs.constants.W_OK | fs.constants.X_OK);
+    if (!isSecureDirForUser(preferred)) {
+      return fallback();
+    }
     return POSIX_OPENCLAW_TMP_DIR;
   } catch (err) {
     if (!isNodeErrorWithCode(err, "ENOENT")) {
-      return path.join(tmpdir(), "openclaw");
+      return fallback();
     }
   }
 
   try {
     accessSync("/tmp", fs.constants.W_OK | fs.constants.X_OK);
+    // Create with a safe default; subsequent callers expect it exists.
+    mkdirSync(POSIX_OPENCLAW_TMP_DIR, { recursive: true, mode: 0o700 });
+    try {
+      const preferred = lstatSync(POSIX_OPENCLAW_TMP_DIR);
+      if (!preferred.isDirectory() || preferred.isSymbolicLink()) {
+        return fallback();
+      }
+      if (!isSecureDirForUser(preferred)) {
+        return fallback();
+      }
+    } catch {
+      return fallback();
+    }
     return POSIX_OPENCLAW_TMP_DIR;
   } catch {
-    return path.join(tmpdir(), "openclaw");
+    return fallback();
   }
 }