提交 #821920: AstrBotDevs AstrBot 4.23.6 Prompt Injection (CWE-74)信息

标题	AstrBotDevs AstrBot 4.23.6 Prompt Injection (CWE-74)
描述	# Technical Details A Prompt Injection exists in the `build_skills_prompt` method in `astrbot/core/skills/skill_manager.py` of AstrBot. The application fails to sanitize skill descriptions for locally uploaded skills. An attacker can upload a crafted `SKILL.md` file within a ZIP archive where the description contains a YAML literal block scalar (`\|`). Because the application only applies `_sanitize_prompt_description()` to `sandbox_only` skills, `local_only` skills bypass sanitization. This allows injecting arbitrary multiline instructions with newlines and markdown code fences that break out of the skill context and are interpreted directly as LLM system directives. # Vulnerable Code File: astrbot/core/skills/skill_manager.py Method: build_skills_prompt Why: The sanitization function `_sanitize_prompt_description` is only applied when `skill.source_type == "sandbox_only"`. Locally uploaded skills are assigned `local_only` and their descriptions are embedded directly into the system prompt without filtering. # Reproduction 1. Authenticate to the AstrBot dashboard via `POST /api/auth/login`. 2. Create a ZIP archive with a malicious `SKILL.md` containing a prompt injection payload using a YAML block scalar `description: \|`. 3. Upload the ZIP archive via `POST /api/skills/upload`. 4. Trigger any LLM interaction and observe the injected instructions embedded in the system prompt. # Impact - Prompt Hijacking: Complete control over the LLM's behavior and system instructions. - Data Exfiltration: Attackers can instruct the LLM to execute shell commands and exfiltrate sensitive files (e.g., `/etc/passwd`). - Persistent Backdoor: The malicious skill remains active until manually deleted.
来源	⚠️ https://gist.github.com/YLChen-007/f9d45a9c68b15a382677a820ee881bbb
用户	Eric-a (UID 96353)
提交	2026-05-07 13時30分 (28 日前)
管理	2026-05-31 09時14分 (24 days later)
状态	已接受
VulDB条目	367489 [AstrBotDevs AstrBot 4.23.6 skill_manager.py _sanitize_prompt_description 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!