VDB
KO
HIGH 7.3

GHSA-cv2p-68f4-f4pw

picoclaw is vulnerable to OS command injection via the ExecTool component

Details

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/sipeed/picoclaw
Introduced in: 0

No fixed version published yet for github.com/sipeed/picoclaw (go modules). Pin to a known-safe version or switch to an alternative.

References