Summary
Found multiple command injection vulnerabilities in the AppleScript integration.
Bug 1: Command injection in open_terminal() (CRITICAL)
File: actions.py, lines 86-92
The command parameter is embedded into an AppleScript `do script` call with only double-quote escaping. Backslashes, single-quotes, and newlines are not escaped, allowing injection of arbitrary AppleScript commands.
Fix: Use a temp file for command passing instead of inline string embedding, or use a proper AppleScript escaping function.
Bug 2: Command injection in prompt_existing_terminal() (CRITICAL)
File: actions.py, lines 200-241
Same insufficient escaping in `keystroke` command. LLM-controlled output drives the keystrokes.
Bug 3: --dangerously-skip-permissions hardcoded everywhere (HIGH)
Files: actions.py:166, work_mode.py:71, qa.py:49-54, server.py:398
Every `claude` CLI invocation uses `--dangerously-skip-permissions`, bypassing all safety checks. Combined with the injection bugs, this is a full RCE chain.
Bug 4: Escape order bug in search_mail() and read_message() (MEDIUM)
File: mail_access.py, lines 270 and 312
escaped = query.replace('"', '\\"').replace("\\", "\\\\")Backslash replacement happens AFTER double-quote escape, so `\"` becomes `\\"`, breaking the string. Order should be reversed.
Fix: query.replace("\\", "\\\\").replace('"', '\\"')
Found via code audit.
Summary
Found multiple command injection vulnerabilities in the AppleScript integration.
Bug 1: Command injection in
open_terminal()(CRITICAL)File:
actions.py, lines 86-92The
commandparameter is embedded into an AppleScript `do script` call with only double-quote escaping. Backslashes, single-quotes, and newlines are not escaped, allowing injection of arbitrary AppleScript commands.Fix: Use a temp file for command passing instead of inline string embedding, or use a proper AppleScript escaping function.
Bug 2: Command injection in
prompt_existing_terminal()(CRITICAL)File:
actions.py, lines 200-241Same insufficient escaping in `keystroke` command. LLM-controlled output drives the keystrokes.
Bug 3:
--dangerously-skip-permissionshardcoded everywhere (HIGH)Files:
actions.py:166,work_mode.py:71,qa.py:49-54,server.py:398Every `claude` CLI invocation uses `--dangerously-skip-permissions`, bypassing all safety checks. Combined with the injection bugs, this is a full RCE chain.
Bug 4: Escape order bug in
search_mail()andread_message()(MEDIUM)File:
mail_access.py, lines 270 and 312Backslash replacement happens AFTER double-quote escape, so `\"` becomes `\\"`, breaking the string. Order should be reversed.
Fix:
query.replace("\\", "\\\\").replace('"', '\\"')Found via code audit.