제출 #852947: Sipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)정보

제목Sipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
설명# Technical Details A prompt trust-boundary vulnerability exists in repository-local skill discovery in `pkg/agent/context.go` and `pkg/skills/loader.go` of PicoClaw. The application fails to restrict built-in skill metadata to trusted installation paths. When `PICOCLAW_BUILTIN_SKILLS` is unset, `NewContextBuilder()` derives the built-in skill directory from `os.Getwd()/skills`; `SkillsLoader.ListSkills()` then loads repo-local `SKILL.md` metadata, and `BuildSystemPromptParts()` injects the skill catalog into the system prompt. # Vulnerable Code File: `pkg/agent/context.go` Method: `NewContextBuilder` Why: Falls back to `filepath.Join(os.Getwd(), "skills")`, making the current working directory an implicit built-in skill trust source. File: `pkg/skills/loader.go` Method: `SkillsLoader.ListSkills` Why: Enumerates repo-local `skills/*/SKILL.md` files and extracts their metadata. File: `pkg/agent/context.go` Method: `BuildSystemPromptParts` Why: Adds discovered skill catalog content into the trusted `capability.skill_catalog` system prompt section. # Reproduction 1. Ensure `PICOCLAW_BUILTIN_SKILLS` is unset. 2. Create or clone an untrusted repository containing `./skills/rogue-helper/SKILL.md`. 3. Start PicoClaw or build the system prompt from inside that repository. 4. Observe attacker-controlled skill metadata appears in the system prompt. 5. Run the same flow without repo-local `./skills` and observe the canary is absent. # Impact - Allows malicious repositories to influence trusted model system prompt content. - Can bias model planning, file-reading order, tool selection, and follow-up actions. - Affects local workflows where PicoClaw is launched from untrusted cloned repositories.
원천⚠️ https://github.com/sipeed/picoclaw/issues/3075
사용자
 Eric-i (UID 97584)
제출2026. 06. 09. PM 01:30 (1 월 ago)
모더레이션2026. 07. 17. PM 03:50 (1 month later)
상태수락
VulDB 항목379797 [Sipeed PicoClaw 까지 0.2.9 pkg/agent/context.go NewContextBuilder 권한 상승]
포인트들20

Interested in the pricing of exploits?

See the underground prices here!