OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution

An attacker achieves remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the OpenHuman agent instructs it to run a benign-looking allowlisted command. Because `skip_env_assignments()` strips inline environment-variable assignments before the allowlist check, a command such as `GIT_EXTERNAL_DIFF=<cmd> git diff` passes validation as the allowed `git diff` but the shell evaluates the environment prefix, causing git to spawn `<cmd>` as a subprocess. Similarly, the `find` command's `-execdir` and `-okdir` flags (not blocked by the original allowlist) execute arbitrary commands per matched file, just like the blocked `-exec` and `-ok` flags. Since the sandbox is the primary trust boundary between untrusted LLM-processed content and the host OS, this bypass yields arbitrary command execution, data exfiltration, file read/write, and lateral movement on the user's machine.

The vulnerability resides in `src/openhuman/security/policy.rs`. Two flaws combine: (1) `is_args_safe()` blocks `find` flags `-exec` and `-ok` but not the functionally identical `-execdir` and `-okdir`; (2) `skip_env_assignments()` strips leading inline `KEY=value` environment-variable assignments before allowlist validation, so a command like `GIT_EXTERNAL_DIFF=<cmd> git diff` is validated as the allowed `git diff` but executes `<cmd>` through git's environment-driven hooks.

The commit [patch_id=6466960] adds two defenses. First, `has_dangerous_env_prefix()` is introduced to reject any command segment that begins with an inline assignment to a dangerous environment variable (e.g. `GIT_EXTERNAL_DIFF`, `GIT_SSH_COMMAND`, `LD_PRELOAD`, `PATH`, `SHELL`); this check runs before `skip_env_assignments()` strips the prefix, so the allowlist cannot be bypassed by hiding a hook variable in the leading assignment. Second, the `find`-flag allowlist is extended to block `-execdir` and `-okdir` alongside the already-blocked `-exec` and `-ok`, because all four flags execute an arbitrary command per matched file. Together these changes close the two bypass vectors that allowed an attacker to achieve arbitrary OS command execution through an otherwise-allowlisted command.