제출 #821920: AstrBotDevs AstrBot 4.23.6 Prompt Injection (CWE-74)정보

제목	AstrBotDevs AstrBot 4.23.6 Prompt Injection (CWE-74)
설명	# Technical Details A Prompt Injection exists in the `build_skills_prompt` method in `astrbot/core/skills/skill_manager.py` of AstrBot. The application fails to sanitize skill descriptions for locally uploaded skills. An attacker can upload a crafted `SKILL.md` file within a ZIP archive where the description contains a YAML literal block scalar (`\|`). Because the application only applies `_sanitize_prompt_description()` to `sandbox_only` skills, `local_only` skills bypass sanitization. This allows injecting arbitrary multiline instructions with newlines and markdown code fences that break out of the skill context and are interpreted directly as LLM system directives. # Vulnerable Code File: astrbot/core/skills/skill_manager.py Method: build_skills_prompt Why: The sanitization function `_sanitize_prompt_description` is only applied when `skill.source_type == "sandbox_only"`. Locally uploaded skills are assigned `local_only` and their descriptions are embedded directly into the system prompt without filtering. # Reproduction 1. Authenticate to the AstrBot dashboard via `POST /api/auth/login`. 2. Create a ZIP archive with a malicious `SKILL.md` containing a prompt injection payload using a YAML block scalar `description: \|`. 3. Upload the ZIP archive via `POST /api/skills/upload`. 4. Trigger any LLM interaction and observe the injected instructions embedded in the system prompt. # Impact - Prompt Hijacking: Complete control over the LLM's behavior and system instructions. - Data Exfiltration: Attackers can instruct the LLM to execute shell commands and exfiltrate sensitive files (e.g., `/etc/passwd`). - Persistent Backdoor: The malicious skill remains active until manually deleted.
원천	⚠️ https://gist.github.com/YLChen-007/f9d45a9c68b15a382677a820ee881bbb
사용자	Eric-a (UID 96353)
제출	2026. 05. 07. PM 01:30 (28 날 ago)
모더레이션	2026. 05. 31. AM 09:14 (24 days later)
상태	수락
VulDB 항목	367489 [AstrBotDevs AstrBot 4.23.6 skill_manager.py _sanitize_prompt_description 권한 상승]
포인트들	20

◂ 이전 개요 다음 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!