提交 #813768: FoundDream miniclawd 0 Command Injection信息

标题FoundDream miniclawd 0 Command Injection
描述A critical command injection vulnerability exists in the which() method of SkillsLoader. The method directly concatenates unsanitized input from skill metadata requires.bins into a shell command executed via execSync(). The bins value is loaded from untrusted external SKILL.md files with no validation, sanitization, or escaping. An attacker who can create or modify a skill file can execute arbitrary system commands with the process's privileges. More details: https://github.com/FoundDream/miniclawd/issues/2
来源⚠️ https://github.com/FoundDream/miniclawd/issues/2
用户
 ybdesire (UID 83239)
提交2026-04-27 04時33分 (1 月前)
管理2026-05-24 09時54分 (27 days later)
状态已接受
VulDB条目365434 [FoundDream miniclawd 直到 2d65665046e2222eeea76cafc8570ed546a8c125 SkillsLoader skills-loader.ts which requires.bins 权限提升]
积分20

上一步一览下一步

Do you want to use VulDB in your project?

Use the official API to access entries easily!