[Security tracking] Dangerous Command Approval Bypass in `batch_runner.py` via Insecure Default Fallback (GHSA-7gp4-gfvg-4mpj)

[YLChen-007]

This issue tracks a private GitHub Security Advisory that is currently in triage.

• Advisory: GHSA-7gp4-gfvg-4mpj
• Status: triage
• Summary: Dangerous Command Approval Bypass in batch_runner.py via Insecure Default Fallback
• Advisory updated: 2026-04-24T11:10:13Z

Technical details, proof-of-concept material, affected code paths, and exploitability notes are intentionally omitted from this public issue while the advisory remains under triage. Please coordinate remediation and disclosure in the private Security Advisory thread.

[teknium1]

Closing the advisory tracked here (GHSA-7gp4-gfvg-4mpj) as not a vulnerability under SECURITY.md §3.2. Thanks to @YLChen-007 for the detailed report and PoC.

The behavior is real — in a headless context (batch_runner.py, scripted AIAgent) the dangerous-command approval gate auto-approves non-hardline commands. But it's out of scope under three independent §3.2 clauses:

1. "Bypasses of in-process heuristics (§2.4)" — "These components are not boundaries; defeating them is not a vulnerability under this policy." The approval gate is exactly such a heuristic.
2. "Prompt injection per se" — "'I achieved prompt injection' without a chained §3.1 outcome is not an actionable report." The chain here is injected-JSONL → LLM emits command; no boundary is crossed.
3. "Consequences of a chosen isolation posture" — "shell or file tools reaching host state under the local backend." batch_runner.py runs on the default local backend.

batch_runner.py runs an operator-supplied dataset on the operator's own host — inside the trust envelope (§2). The CVSS vector itself is AV:L/UI:R. The real boundary for untrusted input is terminal-backend isolation (§2.2/§4: run a Docker/Modal/Daytona sandbox when processing untrusted content), not the in-process approval gate.

Per §3.2, in-process hardening ideas remain welcome as regular issues/PRs — they just don't receive advisories.