| Título | Sipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829) |
|---|
| Descrição | # Technical Details
A prompt trust-boundary vulnerability exists in repository-local skill discovery in `pkg/agent/context.go` and `pkg/skills/loader.go` of PicoClaw.
The application fails to restrict built-in skill metadata to trusted installation paths. When `PICOCLAW_BUILTIN_SKILLS` is unset, `NewContextBuilder()` derives the built-in skill directory from `os.Getwd()/skills`; `SkillsLoader.ListSkills()` then loads repo-local `SKILL.md` metadata, and `BuildSystemPromptParts()` injects the skill catalog into the system prompt.
# Vulnerable Code
File: `pkg/agent/context.go`
Method: `NewContextBuilder`
Why: Falls back to `filepath.Join(os.Getwd(), "skills")`, making the current working directory an implicit built-in skill trust source.
File: `pkg/skills/loader.go`
Method: `SkillsLoader.ListSkills`
Why: Enumerates repo-local `skills/*/SKILL.md` files and extracts their metadata.
File: `pkg/agent/context.go`
Method: `BuildSystemPromptParts`
Why: Adds discovered skill catalog content into the trusted `capability.skill_catalog` system prompt section.
# Reproduction
1. Ensure `PICOCLAW_BUILTIN_SKILLS` is unset.
2. Create or clone an untrusted repository containing `./skills/rogue-helper/SKILL.md`.
3. Start PicoClaw or build the system prompt from inside that repository.
4. Observe attacker-controlled skill metadata appears in the system prompt.
5. Run the same flow without repo-local `./skills` and observe the canary is absent.
# Impact
- Allows malicious repositories to influence trusted model system prompt content.
- Can bias model planning, file-reading order, tool selection, and follow-up actions.
- Affects local workflows where PicoClaw is launched from untrusted cloned repositories. |
|---|
| Fonte | ⚠️ https://github.com/sipeed/picoclaw/issues/3075 |
|---|
| Utilizador | Eric-i (UID 97584) |
|---|
| Submissão | 09/06/2026 13h30 (há 1 mês) |
|---|
| Moderação | 17/07/2026 15h50 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 379797 [Sipeed PicoClaw até 0.2.9 pkg/agent/context.go NewContextBuilder Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|