Submeter #852947: Sipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)informação

TítuloSipeed PicoClaw <= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
Descrição# Technical Details A prompt trust-boundary vulnerability exists in repository-local skill discovery in `pkg/agent/context.go` and `pkg/skills/loader.go` of PicoClaw. The application fails to restrict built-in skill metadata to trusted installation paths. When `PICOCLAW_BUILTIN_SKILLS` is unset, `NewContextBuilder()` derives the built-in skill directory from `os.Getwd()/skills`; `SkillsLoader.ListSkills()` then loads repo-local `SKILL.md` metadata, and `BuildSystemPromptParts()` injects the skill catalog into the system prompt. # Vulnerable Code File: `pkg/agent/context.go` Method: `NewContextBuilder` Why: Falls back to `filepath.Join(os.Getwd(), "skills")`, making the current working directory an implicit built-in skill trust source. File: `pkg/skills/loader.go` Method: `SkillsLoader.ListSkills` Why: Enumerates repo-local `skills/*/SKILL.md` files and extracts their metadata. File: `pkg/agent/context.go` Method: `BuildSystemPromptParts` Why: Adds discovered skill catalog content into the trusted `capability.skill_catalog` system prompt section. # Reproduction 1. Ensure `PICOCLAW_BUILTIN_SKILLS` is unset. 2. Create or clone an untrusted repository containing `./skills/rogue-helper/SKILL.md`. 3. Start PicoClaw or build the system prompt from inside that repository. 4. Observe attacker-controlled skill metadata appears in the system prompt. 5. Run the same flow without repo-local `./skills` and observe the canary is absent. # Impact - Allows malicious repositories to influence trusted model system prompt content. - Can bias model planning, file-reading order, tool selection, and follow-up actions. - Affects local workflows where PicoClaw is launched from untrusted cloned repositories.
Fonte⚠️ https://github.com/sipeed/picoclaw/issues/3075
Utilizador
 Eric-i (UID 97584)
Submissão09/06/2026 13h30 (há 1 mês)
Moderação17/07/2026 15h50 (1 month later)
EstadoAceite
Entrada VulDB379797 [Sipeed PicoClaw até 0.2.9 pkg/agent/context.go NewContextBuilder Elevação de Privilégios]
Pontos20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!