AI & LLM Vulnerabilities

OpenClaw's jq safe-bin policy had a security flaw where it blocked direct `env` commands but still allowed access to environment variables through the `$ENV` filter, potentially letting approved commands leak sensitive environment data. This vulnerability affected versions up to 2026.3.24 in the file `src/infra/exec-safe-bin-semantics.ts` (the code that enforces safe command restrictions).

The Claude SDK for Python (versions 0.86.0 to 0.86.x) had a vulnerability in its async local filesystem memory tool where the system checked that file paths were safe but then used an unresolved path, allowing an attacker to redirect file operations outside the intended sandbox (a restricted storage area) using symlinks (shortcuts to other files or directories). The synchronous (non-async) version of this tool was not affected.

The Claude SDK for TypeScript had a security flaw in its filesystem memory tool (a feature that lets AI models read and write files) where path validation was incomplete, allowing an attacker using prompt injection (tricking the AI with hidden instructions in its input) to access files outside the intended sandbox directory. This vulnerability affected versions 0.79.0 through 0.80.x and could let attackers read or modify files they shouldn't have access to.

The Claude SDK for Python (a library that lets Python programs use Claude AI) had a security flaw in versions 0.86.0 through 0.87.0 where memory files were created with overly permissive access controls (mode 0o666, meaning world-readable and world-writable permissions). On shared computers or in Docker containers, attackers could read the stored state of AI agents or modify memory files to change how the model behaves.

FastGPT, a platform for building AI agents, has a vulnerability in versions before 4.14.9.5 where two endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept URLs from users and make requests to them without checking if those URLs point to internal systems. This is called SSRF (server-side request forgery, where an attacker tricks a server into making requests to private networks on their behalf). Although FastGPT has a protective function called isInternalAddress() used elsewhere, these endpoints don't use it, allowing authenticated attackers to scan internal networks, access cloud metadata services, and interact with internal databases like MongoDB and Redis.

MLflow (a machine learning model management tool) has a command injection vulnerability (a security flaw where an attacker can insert shell commands into input) when serving models with `enable_mlserver=True`. The vulnerability occurs because the `model_uri` (a file path or reference to a model) is directly placed into a shell command without filtering out dangerous characters like `$()` or backticks, allowing attackers to run unauthorized commands. This poses a serious risk if a high-privilege service loads models from a directory that lower-privilege users can access.

Sixth, an AI tool that can run terminal commands automatically, has a security flaw in its safety check feature. An attacker can use prompt injection (tricking the AI by hiding instructions in its input) to disguise harmful commands as safe ones, causing the AI to run them without asking the user for permission first.

A prompt injection vulnerability (a technique where attackers hide malicious instructions in their input to trick an AI) exists in the 1millionbot Millie chatbot, allowing users to bypass safety restrictions using Boolean logic tricks (phrasing questions to trigger 'true' responses that activate hidden commands). This could let attackers extract sensitive information, misuse the service, or access restricted features that the chatbot was designed to block.

HAI Build Code Generator has a feature that automatically runs commands it decides are safe, but researchers found a flaw: attackers can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user permission. This vulnerability allows arbitrary command execution (running any code) on a system by bypassing the safety check.

SakaDev has a feature that automatically runs terminal commands (direct computer instructions) chosen by its AI model, but it can be tricked through prompt injection (hiding malicious instructions in seemingly normal input) to misclassify dangerous commands as safe, allowing attackers to run harmful code without user approval.

OpenClaw has a vulnerability where malicious plugins or hooks can execute arbitrary code during installation. An attacker can create a `.npmrc` file (npm's configuration file) in a malicious plugin or hook directory that redirects the git executable to a malicious program, which gets executed when OpenClaw runs `npm install` during the installation phase.

OpenClaw has a path traversal vulnerability (CWE-22, a type of attack where an attacker uses special characters like ../ to access files outside their intended directory) that allows sandboxed agents to read files from other agents' workspaces. The vulnerability exists because the sandbox validation function only checks certain parameter keys (media, path, filePath) but misses mediaUrl and fileUrl, which are actually used by messaging extensions. Additionally, a separate function fails to pass the sandbox root restrictions to plugins, allowing them to read the entire ~/.openclaw/ directory instead of just an individual agent's folder.

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project where user API tokens are stored in process-wide environment variables without proper isolation. Because Streamlit (a web framework for Python applications) runs multiple users in a single process, credentials entered by one user can be accessed by other users, allowing attackers to steal sensitive tokens like GitHub Personal Access Tokens or LLM API keys.

CrewAI has a vulnerability where it fails to properly verify that Docker (a containerization tool that isolates applications) is still running during execution. When Docker stops, the software falls back to a less secure sandbox setting that can be exploited for RCE (remote code execution, where an attacker runs commands on a system they don't control).