picoclaw CVE-2026-36045
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.
AnalysisAI
OS command injection in sipeed picoclaw v0.1.2 and earlier allows remote attackers to bypass an incomplete denylist-based sanitizer in the ExecTool component and execute arbitrary shell commands on the host. The guardCommand() function in pkg/tools/shell.go relies on only eight regex denylist patterns, which is insufficient to block the wide range of shell metacharacters and command-chaining techniques available to an attacker. No public exploit identified at time of analysis, though a third-party gist documenting the issue is referenced from NVD.
Technical ContextAI
picoclaw is a Go-based AI/agent project from sipeed that exposes an ExecTool capability allowing shell command execution, intended to be gated by a safety filter. The vulnerability resides in pkg/tools/shell.go, where guardCommand() implements input validation as a denylist of eight regular expressions rather than an allowlist or proper shell-argument parsing. This is a textbook CWE-78 (Improper Neutralization of Special Elements used in an OS Command) flaw: denylist sanitization for shell input is well known to be fundamentally incomplete because attackers can use alternate quoting, encoding, environment-variable expansion, subshells ($(...), backticks), redirection, IFS manipulation, or simply unlisted binaries to evade pattern matching. Because the tool is invoked through the agent's command-execution path, any user able to reach that path can supply payloads that survive the filter.
Affected ProductsAI
sipeed picoclaw versions v0.1.2 and earlier are affected, specifically the ExecTool component in pkg/tools/shell.go. No CPE strings were provided in the input. The v0.1.2 release is documented at https://github.com/sipeed/picoclaw/releases/tag/v0.1.2, and the release notes do not mention a security fix for guardCommand(), suggesting v0.1.2 itself remains vulnerable.
RemediationAI
No vendor-released patch identified at time of analysis - the v0.1.2 release notes (https://github.com/sipeed/picoclaw/releases/tag/v0.1.2) contain only feature and CI changes with no reference to guardCommand() hardening. As compensating controls, operators should disable or remove the ExecTool capability from any agent/tool registry exposed to untrusted input, replace the denylist approach in pkg/tools/shell.go with a strict allowlist of permitted binaries invoked via exec.Command without a shell (avoiding sh -c and similar wrappers), and run the picoclaw process under a dedicated low-privilege user inside a container or seccomp/AppArmor profile that restricts spawning new processes and outbound network access - accepting that disabling ExecTool will break any legitimate agent workflow that depends on shell execution. Network-level mitigations include placing picoclaw behind authentication and restricting reachability to trusted operators only until an upstream fix lands. Track the upstream repo at https://github.com/sipeed/picoclaw for a release that rewrites guardCommand() or removes the shell path entirely.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cv2p-68f4-f4pw