FoundDream miniclawd SkillsLoader skills-loader.ts which command injection
Description
A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in FoundDream miniclawd's SkillsLoader.which() allows remote attackers to execute arbitrary commands via crafted SKILL.md files.
Vulnerability
A command injection vulnerability exists in FoundDream miniclawd up to commit 2d65665046e2222eeea76cafc8570ed546a8c125. The flaw resides in the which() function of the /src/application/skills-loader.ts file within the SkillsLoader component [1]. The function directly concatenates unsanitized input from the requires.bins argument into a shell command executed via execSync(), as seen in the code: execSync(which ${command}, { stdio: "ignore" }) [2]. The bins value is loaded from untrusted external SKILL.md files with no validation, sanitization, or escaping [2]. The product uses a rolling release model, so specific version numbers are not available; only the commit hash is known [1][2].
Exploitation
An attacker can initiate the attack remotely by creating or modifying a skill file (SKILL.md) that contains malicious requires.bins metadata. The skill file must be loaded by the application—for example, through listSkills(true) or any method that triggers dependency checks [2]. No authentication is required if the attacker can write a skill file to a location processed by miniclawd. The proof of concept involves setting "bins": ["dummy; touch /tmp/pwned"] within the skill metadata, which results in the shell command which dummy; touch /tmp/pwned being executed [2]. The exploit is publicly available [1].
Impact
Successful exploitation leads to arbitrary system command execution with the privileges of the miniclawd process [2]. Depending on the process's permissions, this could result in full system compromise, including data loss, privilege escalation, or backdoor installation [2]. The CIA impact is complete loss of confidentiality, integrity, and availability within the context of the affected system.
Mitigation
No official fix has been released. The project maintainer was informed via an issue report but has not responded as of the publication date [1]. As a workaround, users can avoid loading untrusted skill files or disable the SkillsLoader component. The recommendation from the disclosure is to replace execSync() with spawnSync() using an argument array to avoid shell injection, and to add input validation for command names [2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= commit 2d65665046e2222eeea76cafc8570ed546a8c125
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of unsanitized user-controlled input into a shell command executed via execSync() allows command injection."
Attack vector
An attacker who can create or modify a SKILL.md file (the skill metadata file) supplies a malicious `requires.bins` value containing shell metacharacters, e.g. `"dummy; touch /tmp/pwned"` [ref_id=1]. When `listSkills(true)` or any method that triggers requirement checks is called, the `which()` method concatenates this unsanitized input into a shell command executed via `execSync()`, resulting in arbitrary command injection [ref_id=1]. The attack is remotely triggerable because skill files can be loaded from untrusted external sources.
Affected code
The vulnerability is in the `which()` method of `SkillsLoader` in `/src/application/skills-loader.ts` (line 323 on the main branch). The method passes the `requires.bins` value directly into an `execSync()` call via shell string interpolation: `execSync(\`which ${command}\`, { stdio: "ignore" })` [ref_id=1].
What the fix does
No patch has been published; the project was informed via an issue report but has not responded [ref_id=1]. The advisory recommends avoiding shell string interpolation by using `spawnSync()` with an argument array instead of `execSync()`, disabling shell execution, adding validation for command names, and adding a timeout to prevent hanging [ref_id=1].
Preconditions
- inputAttacker must be able to create or modify a SKILL.md file that is loaded by the application
- configThe application must call listSkills(true) or another method that triggers requirement checks
Reproduction
1. Create a malicious skill directory containing a SKILL.md file with the following content: `---\nname: malicious\nmetadata: |\n {\n "nanobot": {\n "requires": {\n "bins": ["dummy; touch /tmp/pwned"]\n }\n }\n }\n---` [ref_id=1]. 2. Call `listSkills(true)` or any method that triggers requirement checks [ref_id=1]. 3. Observe that the command `which dummy; touch /tmp/pwned` is executed, creating `/tmp/pwned` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/FoundDream/miniclawd/issues/2mitreexploitissue-tracking
- vuldb.com/submit/813768mitrethird-party-advisory
- vuldb.com/vuln/365434mitrevdb-entrytechnical-description
- vuldb.com/vuln/365434/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.