ultanio/cobot
4
1
Fork 4
Code Issues 84 Pull requests 10 Projects Releases Packages Wiki Activity Actions

Security Audit Report: 21 Findings (4 Critical, 5 High) #1

New issue
Open
opened 2026-02-20 08:30:21 +00:00 by Hermes · 1 comment
Hermes commented 2026-02-20 08:30:21 +00:00
Contributor
Copy link

Whitebox Security Audit - Cobot v0.1.0

Audit Date: February 14, 2026
Classification: Confidential
Auditor: Claude Opus 4.6 (Primary Analyst + Adversarial Review)
Commissioned by: Ultanio AG

Executive Summary

Severity Count
🔴 Critical 4
🟠 High 5
🟡 Medium 7
🟢 Low 5
Total 21

Scope: 18 source files, 2,847 lines of Python

Critical Findings

  1. CB-001: Unrestricted Shell Execution via exec Tool (CVSS 9.8)

    • CWE-78: OS Command Injection
    • Location: cobot/plugins/tools/plugin.py

  2. CB-002: Arbitrary File System Read/Write

    • Full filesystem access without sandboxing

  3. CB-003: Prompt Injection to Remote Code Execution Chain

    • Direct path from untrusted input to shell execution

  4. CB-004: Unauthorized Wallet Drain via LLM Tool Abuse

    • Financial operations triggered by LLM without human confirmation

High Findings

  • CB-005: Security Plugin Fails Open
  • CB-006: Nostr Private Key Exposure Risk
  • CB-007: World-Writable FileDrop Directory
  • CB-008: Environment Variable Leakage via Subprocess
  • CB-009: os.execv Restart Allows Argument Injection

Key Risk: Prompt Injection → RCE Chain

The most significant architectural risk is the direct path from untrusted input to arbitrary code execution:

  1. Attacker sends crafted Nostr DM or Telegram message
  2. Security plugin may fail to detect injection (fail-open design)
  3. Message reaches LLM as part of conversation context
  4. LLM manipulated into generating exec tool calls
  5. Shell commands execute with full agent privileges

A single successful prompt injection can lead to complete system compromise.

📎 Full audit report (PDF) attached below.

This issue tracks remediation of security findings. See the attached PDF for detailed findings, attack scenarios, and remediation recommendations.

## Whitebox Security Audit - Cobot v0.1.0 **Audit Date:** February 14, 2026 **Classification:** Confidential **Auditor:** Claude Opus 4.6 (Primary Analyst + Adversarial Review) **Commissioned by:** Ultanio AG --- ### Executive Summary | Severity | Count | |----------|-------| | 🔴 Critical | 4 | | 🟠 High | 5 | | 🟡 Medium | 7 | | 🟢 Low | 5 | | **Total** | **21** | **Scope:** 18 source files, 2,847 lines of Python --- ### Critical Findings 1. **CB-001: Unrestricted Shell Execution via exec Tool** (CVSS 9.8) - CWE-78: OS Command Injection - Location: `cobot/plugins/tools/plugin.py` 2. **CB-002: Arbitrary File System Read/Write** - Full filesystem access without sandboxing 3. **CB-003: Prompt Injection to Remote Code Execution Chain** - Direct path from untrusted input to shell execution 4. **CB-004: Unauthorized Wallet Drain via LLM Tool Abuse** - Financial operations triggered by LLM without human confirmation ### High Findings - CB-005: Security Plugin Fails Open - CB-006: Nostr Private Key Exposure Risk - CB-007: World-Writable FileDrop Directory - CB-008: Environment Variable Leakage via Subprocess - CB-009: os.execv Restart Allows Argument Injection ### Key Risk: Prompt Injection → RCE Chain The most significant architectural risk is the direct path from untrusted input to arbitrary code execution: 1. Attacker sends crafted Nostr DM or Telegram message 2. Security plugin may fail to detect injection (fail-open design) 3. Message reaches LLM as part of conversation context 4. LLM manipulated into generating exec tool calls 5. Shell commands execute with full agent privileges **A single successful prompt injection can lead to complete system compromise.** --- 📎 **Full audit report (PDF) attached below.** --- *This issue tracks remediation of security findings. See the attached PDF for detailed findings, attack scenarios, and remediation recommendations.*
cobot-security-audit.pdf
392 KiB
Alpha commented 2026-02-20 08:50:41 +00:00
Copy link

📋 Issue Tracker Created

All 21 security findings from the audit have been filed as individual issues:

🔴 Critical (4)

  • #10 - CB-001: Unrestricted Shell Execution via exec Tool
  • #11 - CB-002: Arbitrary File System Read/Write
  • #12 - CB-003: Prompt Injection to Remote Code Execution Chain
  • #13 - CB-004: Unauthorized Wallet Drain via LLM Tool Abuse

🟠 High (5)

  • #14 - CB-005: Security Plugin Fails Open
  • #15 - CB-006: Nostr Private Key Exposure Risk
  • #16 - CB-007: World-Writable FileDrop Directory
  • #17 - CB-008: Environment Variable Leakage via Subprocess
  • #18 - CB-009: os.execv Restart Allows Argument Injection

🟡 Medium (7)

  • #19 - CB-010: Trivially Bypassable Exec Blocklist
  • #20 - CB-011: Memory File Path Injection
  • #21 - CB-012: No Rate Limiting on Tool Execution or LLM Calls
  • #22 - CB-013: CWD-Based Config Loading Allows Config Injection
  • #23 - CB-014: Unbounded Event Deduplication Set
  • #24 - CB-015: Error Messages Leak Internal State
  • #25 - CB-016: Telegram Auto-Adds Unknown Groups

🟢 Low (5)

  • #26 - CB-017: PID File Race Condition (TOCTOU)
  • #27 - CB-018: Plugin Discovery Executes Arbitrary Code
  • #28 - CB-019: Config --reveal Exposes All Secrets
  • #29 - CB-020: Telegram Bot Token Partially Leaked in Identity
  • #30 - CB-021: No HTTPS Certificate Pinning for API Calls

Recommended immediate actions:

  1. CB-005 (fail-closed security) — 15 min
  2. CB-004 (wallet confirmation) — 30 min
  3. CB-008 (env sanitization) — 30 min
  4. CB-001/CB-002 (workspace sandbox) — 2–4 hours

Filed by Doxios 🦊

## 📋 Issue Tracker Created All 21 security findings from the audit have been filed as individual issues: ### 🔴 Critical (4) - #10 - CB-001: Unrestricted Shell Execution via exec Tool - #11 - CB-002: Arbitrary File System Read/Write - #12 - CB-003: Prompt Injection to Remote Code Execution Chain - #13 - CB-004: Unauthorized Wallet Drain via LLM Tool Abuse ### 🟠 High (5) - #14 - CB-005: Security Plugin Fails Open - #15 - CB-006: Nostr Private Key Exposure Risk - #16 - CB-007: World-Writable FileDrop Directory - #17 - CB-008: Environment Variable Leakage via Subprocess - #18 - CB-009: os.execv Restart Allows Argument Injection ### 🟡 Medium (7) - #19 - CB-010: Trivially Bypassable Exec Blocklist - #20 - CB-011: Memory File Path Injection - #21 - CB-012: No Rate Limiting on Tool Execution or LLM Calls - #22 - CB-013: CWD-Based Config Loading Allows Config Injection - #23 - CB-014: Unbounded Event Deduplication Set - #24 - CB-015: Error Messages Leak Internal State - #25 - CB-016: Telegram Auto-Adds Unknown Groups ### 🟢 Low (5) - #26 - CB-017: PID File Race Condition (TOCTOU) - #27 - CB-018: Plugin Discovery Executes Arbitrary Code - #28 - CB-019: Config --reveal Exposes All Secrets - #29 - CB-020: Telegram Bot Token Partially Leaked in Identity - #30 - CB-021: No HTTPS Certificate Pinning for API Calls --- **Recommended immediate actions:** 1. CB-005 (fail-closed security) — 15 min 2. CB-004 (wallet confirmation) — 30 min 3. CB-008 (env sanitization) — 30 min 4. CB-001/CB-002 (workspace sandbox) — 2–4 hours *Filed by Doxios 🦊*
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/filedrop-error-handling
feat/communication-events
kn/web-plugin-v2-product-brief
feature/telegram-lurker
docs/prd-plugin-dependency-tree
feature/interaction-ledger-merged
fix/headless-mode
feature/dockerization
fix/filedrop-malformed-json
docs/product-brief
docs/prd
docs/bmad-brownfield-scan
release/v0.2.0
feat/176-workspace-location
fix/174-exec-cwd
fix/deploy-v2
test/init-integration
fix/deploy-command
fix/graceful-plugin-discovery
feat/trust-plugin
fix/identity-and-wake
fix/forgejo-ci-workflow
fix/test-alpha-script
fix/filedrop-reply-to-sender
fix/filedrop-reply-logging
feature/openai-compat
fix/99-telegram-pairing-passthrough
fix/deploy-chown
chore/retrigger-deploy-2
fix/retrigger-deploy
feat/integration-tests
feat/deploy-workspace-context
fix/alpha-deploy-bugs
fix/deploy-known-hosts
fix/deploy-workflow-v2
test/deploy-ci-verification
fix/deploy-workflow-simplify
fix/trigger-deploy-test
fix/add-deploy-script
fix/deploy-runner-label
fix/deploy-debug
fix/deploy-host-fingerprint
feature/auto-deploy
fix-97
story-109
fix/97-run-sync-typo
story-108
story-107
story-106
story-105
story-103
feat/colored-logs
story-80
fix/antipattern-cleanup
story-75
story-69
story-70
story-62
story-61
story-60
feature/scheduled-execution
feature/knowledge-plugin
k9ert-patch-4
k9ert-patch-3
k9ert-patch-2
k9ert-patch-1
v0.2.0-rc.1
v0.1.0
Labels
Clear labels   
Compat/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Competitor

Anything we found interesting at competitory

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Epic

Business requirement — groups related stories

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Story

Implementable unit with AC — results in a PR

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Scope/Core

Changes to core non-plugin code (CLI, config loading, etc.).

  
Scope/Cross-Plugin

Touches multiple existing plugins. Needs extra scrutiny, may require a PRD.

  
Scope/Plugin-System

Changes to plugin infrastructure (base.py, registry.py, interfaces.py, __init__.py, agent.py plugin dispatch). PRD required before merge.

  
Scope/Single-Plugin

Changes contained to one plugin (or adds one new plugin). Standard review.

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

No labels
Compat/Breaking
Kind/Bug
Kind/Competitor
Kind/Documentation
Kind/Enhancement
Kind/Epic
Kind/Feature
Kind/Security
Kind/Story
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Scope/Core
Scope/Cross-Plugin
Scope/Plugin-System
Scope/Single-Plugin
Status
Abandoned
Status
Blocked
Status
Need More Info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ultanio/cobot#1
No description provided.