Summary
The command execution security policy in src/openhuman/security/policy.rs blocks find -exec and git config but does not block command interpreters that can execute arbitrary code:
xargs — echo rm | xargs executes arbitrary commandsawk — awk 'BEGIN{system("rm -rf /")}' executes shell commandsperl — perl -e 'system("...")'python / python3 — python -c 'import os; os.system("...")'ruby — ruby -e 'system("...")'bash / sh / env — direct shell access
Location
src/openhuman/security/policy.rs — is_command_allowed() / is_args_safe()
Impact
High — An agent or compromised prompt can escape the tool sandbox by chaining through these interpreters, bypassing all path and command restrictions.
Suggested Fix
Add these to the high-risk command list in is_args_safe(), or block them entirely when called with code-execution flags (-e, -c, BEGIN{}).
Summary
The command execution security policy in
src/openhuman/security/policy.rsblocksfind -execandgit configbut does not block command interpreters that can execute arbitrary code:xargs—echo rm | xargsexecutes arbitrary commandsawk—awk 'BEGIN{system("rm -rf /")}'executes shell commandsperl—perl -e 'system("...")'python/python3—python -c 'import os; os.system("...")'ruby—ruby -e 'system("...")'bash/sh/env— direct shell accessLocation
src/openhuman/security/policy.rs—is_command_allowed()/is_args_safe()Impact
High — An agent or compromised prompt can escape the tool sandbox by chaining through these interpreters, bypassing all path and command restrictions.
Suggested Fix
Add these to the high-risk command list in
is_args_safe(), or block them entirely when called with code-execution flags (-e,-c,BEGIN{}).