[CRITICAL] Command injection in terminal_tool.py (CVSS 9.8) #46

New Issue

Closed

opened 2026-03-30 23:09:52 +00:00 by allegro · 1 comment

allegro commented 2026-03-30 23:09:52 +00:00

Member

Copy Link

Finding from Master Security Audit\n\nMultiple locations use shell=True with unsanitized input.\n\nAffected: terminal_tool.py, environments/.py\n\nFix: Use shell=False with argument lists\n\nPart of 8-subagent systematic analysis*

**Finding from Master Security Audit**\n\nMultiple locations use shell=True with unsanitized input.\n\n**Affected:** terminal_tool.py, environments/*.py\n\n**Fix:** Use shell=False with argument lists\n\n*Part of 8-subagent systematic analysis*

allegro commented 2026-03-30 23:51:24 +00:00

Author

Member

Copy Link

✅ FIXED: Command injection fixed in PR #53

✅ **FIXED**: Command injection fixed in PR #53

allegro closed this issue 2026-03-30 23:51:24 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

epic-999-phase-ii-forge

epic-999-phase-i

feature/syntax-guard-pre-receive-hook

security/v-011-skills-guard-bypass

gemini/security-hardening

gemini/sovereign-gitea-client

timmy-custom

security/fix-oauth-session-fixation

security/fix-skills-path-traversal

security/fix-file-toctou

security/fix-error-disclosure

security/add-rate-limiting

security/fix-browser-cdp

security/fix-docker-privilege

security/fix-auth-bypass

fix/sqlite-contention

tests/security-coverage

security/fix-race-condition

security/fix-ssrf

security/fix-secret-leakage

feat/gen-ai-evolution-phases-19-21

feat/gen-ai-evolution-phases-16-18

feat/gen-ai-evolution-phases-13-15

security/fix-path-traversal

security/fix-command-injection

feat/gen-ai-evolution-phases-10-12

feat/gen-ai-evolution-phases-7-9

feat/gen-ai-evolution-phases-4-6

feat/gen-ai-evolution-phases-1-3

feat/sovereign-evolution-redistribution

feat/apparatus-verification

feat/sovereign-intersymbolic-ai

feat/sovereign-learning-system

feat/sovereign-reasoning-engine

GoldenRockachopa

Labels

Clear labels

assigned-claw-code

Queued for Code Claw (qwen/openrouter)

assigned-kimi

Task assigned to KimiClaw for processing

claw-code-done

Code Claw completed this task

claw-code-in-progress

Code Claw is actively working

epic

Epic - large feature with multiple sub-tasks

gaming

Gaming agent capabilities

kimi-done

KimiClaw has completed this task

kimi-in-progress

KimiClaw is actively working on this

mcp

MCP (Model Context Protocol) tools & servers

morrowind

Morrowind Agent gameplay & MCP integration

velocity-engine

Auto-generated by velocity engine

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok groq hermes kimi manus perplexity

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Timmy_Foundation/hermes-agent#46