| 제목 | Sipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829) |
|---|
| 설명 | # Technical Details
A prompt trust-boundary vulnerability exists in repository-local skill discovery in `pkg/agent/context.go` and `pkg/skills/loader.go` of PicoClaw.
The application fails to restrict built-in skill metadata to trusted installation paths. When `PICOCLAW_BUILTIN_SKILLS` is unset, `NewContextBuilder()` derives the built-in skill directory from `os.Getwd()/skills`; `SkillsLoader.ListSkills()` then loads repo-local `SKILL.md` metadata, and `BuildSystemPromptParts()` injects the skill catalog into the system prompt.
# Vulnerable Code
File: `pkg/agent/context.go`
Method: `NewContextBuilder`
Why: Falls back to `filepath.Join(os.Getwd(), "skills")`, making the current working directory an implicit built-in skill trust source.
File: `pkg/skills/loader.go`
Method: `SkillsLoader.ListSkills`
Why: Enumerates repo-local `skills/*/SKILL.md` files and extracts their metadata.
File: `pkg/agent/context.go`
Method: `BuildSystemPromptParts`
Why: Adds discovered skill catalog content into the trusted `capability.skill_catalog` system prompt section.
# Reproduction
1. Ensure `PICOCLAW_BUILTIN_SKILLS` is unset.
2. Create or clone an untrusted repository containing `./skills/rogue-helper/SKILL.md`.
3. Start PicoClaw or build the system prompt from inside that repository.
4. Observe attacker-controlled skill metadata appears in the system prompt.
5. Run the same flow without repo-local `./skills` and observe the canary is absent.
# Impact
- Allows malicious repositories to influence trusted model system prompt content.
- Can bias model planning, file-reading order, tool selection, and follow-up actions.
- Affects local workflows where PicoClaw is launched from untrusted cloned repositories. |
|---|
| 원천 | ⚠️ https://github.com/sipeed/picoclaw/issues/3075 |
|---|
| 사용자 | Eric-i (UID 97584) |
|---|
| 제출 | 2026. 06. 09. PM 01:30 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 17. PM 03:50 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 379797 [Sipeed PicoClaw 까지 0.2.9 pkg/agent/context.go NewContextBuilder 권한 상승] |
|---|
| 포인트들 | 20 |
|---|