[Bug]:TutorBot ExecTool executes LLM-generated shell commands through WebSocket chat

[Ro1ME]

Do you need to file an issue?

• I have searched the existing issues and this bug is not already filed.
• I believe this is a legitimate bug, not just a question or feature request.

Describe the bug

DeepTutor’s TutorBot shell tool exposes command execution through ExecTool.execute. In a real TutorBot WebSocket session, a user prompt can cause the LLM to select the shell tool and pass a generated command into:

asyncio.create_subprocess_shell(command, ...)

Affected component:

deeptutor/tutorbot/agent/tools/shell.py function: ExecTool.execute source line: 83 sink line: 98

The validated path was:

User message -> TutorBot WebSocket session -> real Claude-compatible LLM -> ExecTool.execute -> asyncio.create_subprocess_shell

A benign marker file was created in the bot workspace:

deeptutor_note_21may.txt

Steps to reproduce

1. Install DeepTutor from the affected source snapshot.

git clone https://github.com/HKUDS/DeepTutor.git cd DeepTutor python -m venv .venv .venv\Scripts\activate pip install -e ".[server]"

1. Start the backend.

python -m deeptutor.api.run_server

1. Start the frontend.

cd web npm install npm run dev

1. Open the DeepTutor web UI in a browser.
2. Configure a real LLM API key, such as a Claude-compatible or OpenAI-compatible model.
3. Create a new TutorBot.
4. Enable the shell execution tool / ExecTool capability for the bot.
5. Open the TutorBot chat session. The chat path uses the real WebSocket TutorBot entry.
6. Send a benign prompt such as:

Please create a file named deeptutor_note_21may.txt in your workspace with the content DEEPTUTOR_EXEC_TOOL_MARKER. Use the available shell tool if needed.

1. Observe that the model can choose the shell tool and generate a shell command.
2. Check the bot workspace:

cat data/tutorbot/<bot_name>/workspace/deeptutor_note_21may.txt

1. The marker file should contain:

DEEPTUTOR_EXEC_TOOL_MARKER

Expected Behavior

A user prompt should not be able to drive LLM-generated shell commands into host shell execution without strong safety controls.

Expected protections include at least one of:

- Disable shell execution tools by default. - Require explicit user/admin confirmation before shell execution. - Use a strict command allowlist. - Run commands only inside a hardened sandbox. - Prevent arbitrary model-generated command strings from reaching create_subprocess_shell. - Clearly warn users when enabling ExecTool.

Related Module

Dashboard

Configuration Used

Affected version: DeepTutor v1.4.0 source snapshot TutorBot: newly created bot Tool: ExecTool / shell execution enabled LLM: real Claude-compatible model Validation: real WebSocket service + real LLM + end-to-end tool execution Payload: benign marker-file creation only

Logs and screenshots

Observed validation result:

A fresh DeepTutor websocket session against a newly created bot used the real tutorbot entry and a real Claude-compatible model to trigger ExecTool.execute, which created the preserved deeptutor_note_21may.txt marker in the bot workspace.

Relevant source sink:

process = await asyncio.create_subprocess_shell(    command,    stdout=asyncio.subprocess.PIPE,    stderr=asyncio.subprocess.PIPE,    cwd=cwd,    env=env, )

Additional Information

• DeepTutor Version:v1.4.0
• Operating System:Windows
• Python Version:3.11+
• Node.js Version:18+
• Browser (if applicable):Chrome / Edge
• Related Issues:

[pancacake]

Thanks for your comments! Feel free to try the newest version