Miniclaw
Monthly
OS command injection in 8421bit MiniClaw 0.8.0 and 0.9.0 allows local authenticated attackers to execute arbitrary system commands via the resolveSkillScriptPath function in the System Command Handler (src/kernel.ts). The vulnerability stems from unsafe command construction using string concatenation with unsanitized user input passed to shell execution. Publicly available exploit code exists, and a patch has been released by the vendor.
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.
OS command injection in 8421bit MiniClaw's executeCognitivePulse function allows authenticated remote attackers to inject arbitrary shell commands via unsanitized prompt input passed to external CLI tools. The vulnerability stems from unsafe string interpolation in command construction, enabling execution of system commands with the privileges of the MiniClaw process. Publicly available exploit code exists, and vendor-released patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 is available on GitHub.
OS command injection in 8421bit MiniClaw 0.8.0 and 0.9.0 allows local authenticated attackers to execute arbitrary system commands via the resolveSkillScriptPath function in the System Command Handler (src/kernel.ts). The vulnerability stems from unsafe command construction using string concatenation with unsanitized user input passed to shell execution. Publicly available exploit code exists, and a patch has been released by the vendor.
Path traversal in MiniClaw's executeSkillScript function allows authenticated remote attackers to access files outside the intended skills directory via directory traversal sequences in the skillName or scriptFile parameters. The vulnerability affects the isPathInside function in src/kernel.ts, enabling disclosure of sensitive files with CVSS 4.3 (low confidentiality impact). Publicly available exploit code exists and a vendor patch is available via commit e8bd4e17e9428260f2161378356affc5ce90d6ed.
OS command injection in 8421bit MiniClaw's executeCognitivePulse function allows authenticated remote attackers to inject arbitrary shell commands via unsanitized prompt input passed to external CLI tools. The vulnerability stems from unsafe string interpolation in command construction, enabling execution of system commands with the privileges of the MiniClaw process. Publicly available exploit code exists, and vendor-released patch commit 028f62216dee9f64833d0f1cfda7c217067ceba8 is available on GitHub.