Skip to content

fix: remove JensenClaw easter egg (command injection vulnerability)#27

Merged
ericksoa merged 1 commit into
mainfrom
fix/remove-easter-egg
Mar 16, 2026
Merged

fix: remove JensenClaw easter egg (command injection vulnerability)#27
ericksoa merged 1 commit into
mainfrom
fix/remove-easter-egg

Conversation

@ericksoa

@ericksoa ericksoa commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Removes .jensenclaw/ directory entirely — the web server had an unvalidated sessionId parameter that allowed command injection (.jensenclaw/server.js#L89)
  • Removes egg, claw, jensen CLI commands from nemoclaw
  • Removes JensenClaw service from start-services.sh
  • Cleans up all JensenClaw references from deploy rsync, package.json files list, help text, and Telegram bridge

Security

The sessionId parameter in .jensenclaw/server.js was passed directly into a shell command without sanitization, allowing arbitrary command execution. Reported by Spencer Davis (ThreatOps).

Test plan

  • Verify nemoclaw egg / nemoclaw claw / nemoclaw jensen no longer work
  • Verify nemoclaw start no longer starts the JensenClaw web server
  • Verify nemoclaw help no longer lists easter egg commands
  • Verify port 18789 is not bound after nemoclaw start

🤖 Generated with Claude Code

@ericksoa @claude
fix: remove JensenClaw easter egg (command injection vulnerability)
ad112d2 
Removes the .jensenclaw/ web server which had an unvalidated sessionId
parameter that allowed command injection. Also removes all egg/claw/jensen
CLI commands and references from the codebase.

Fixes command injection via sessionId in .jensenclaw/server.js#L89.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@ericksoa ericksoa merged commit f0a9a1a into main Mar 16, 2026
@SegovChik SegovChik mentioned this pull request Mar 16, 2026
Closed
6 tasks
jessesanford pushed a commit to jessesanford/NemoClaw that referenced this pull request Mar 24, 2026
@jacobtomlinson
Merge pull request NVIDIA#27 from NVIDIA/skip-ollama-setup
09f3f97 
Skip local ollama setup for now
jessesanford pushed a commit to jessesanford/NemoClaw that referenced this pull request Mar 24, 2026
@ericksoa
Merge pull request NVIDIA#27 from NVIDIA/fix/remove-easter-egg
c2a3774 
fix: remove JensenClaw easter egg (command injection vulnerability)
mafueee pushed a commit to mafueee/NemoClaw that referenced this pull request Mar 28, 2026
@johntmyers
fix(server): prevent unbounded bus entry growth for sandbox IDs (NVID…
ae9e766 
…IA#138)

Closes NVIDIA#27

Add remove() methods to TracingLogBus, PlatformEventBus, and
SandboxWatchBus to clean up entries when sandboxes are deleted.
Wire cleanup into both handle_deleted (K8s reconciler) and
delete_sandbox (gRPC handler). Reorder watch_sandbox to validate
sandbox existence before subscribing to buses, preventing entries
for non-existent IDs. Add one-time sandbox validation at stream
open in push_sandbox_logs.

Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
@cv cv mentioned this pull request Jun 5, 2026
Merged
12 tasks
@wscurran wscurran added the bug-fix PR fixes a bug or regression label Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug-fix PR fixes a bug or regression

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ericksoa @InitialXKO @wscurran