zeptoclaw implements a allowlist combined with a blocklist to prevent malicious shell commands in src/security/shell.rs. However, even in the Strict mode, attackers can completely bypass all the guards from allowlist and blocklist:
allowlist, command injection is enough, such as ;, $() etc.REGEX_BLOCKED_PATTERNS, argument injection is enough, such as the python3 -P -c "..."LITERAL_BLOCKED_PATTERNS, file name wildcards can do the work, such as cat /etc/pass[w]dIn code src/security/shell.rs#L218-L243, one can see the allowlist only checks the first token and thus makes command injection possible.
// Allowlist check (runs after blocklist)
if self.allowlist_mode != ShellAllowlistMode::Off && !self.allowlist.is_empty() {
let first_token = command
.split_whitespace()
.next()
.unwrap_or("")
.to_lowercase();
// Strip path prefix (e.g. /usr/bin/git -> git)
let executable = first_token.rsplit('/').next().unwrap_or(&first_token);
if !self.allowlist.iter().any(|a| a == executable) {
match self.allowlist_mode {
ShellAllowlistMode::Strict => {
return Err(ZeptoError::SecurityViolation(format!(
"Command '{}' not in allowlist",
executable
)));
}
ShellAllowlistMode::Warn => {
tracing::warn!(
command = %command,
executable = %executable,
"Command not in...
0.6.2Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H