Description
The execute_code sandbox in tools/code_execution_tool.py includes terminal in SANDBOX_ALLOWED_TOOLS. This allows LLM-generated Python code running inside the sandbox to execute arbitrary shell commands on the host via the RPC terminal() stub — bypassing the check_dangerous_command() approval system that protects the direct terminal tool call.
Attack flow
- LLM generates Python code inside the sandbox
- Code calls
terminal("rm -rf /home/user") via the RPC stub
- Sandbox permits it because
terminal is in the allowlist
- Command executes on the host with user privileges, no approval prompt
Root cause
SANDBOX_ALLOWED_TOOLS in tools/code_execution_tool.py contains "terminal". The dangerous command approval system relies on an interactive session context that does not exist in the sandbox subprocess. There is no TTY, no user to approve, and no mechanism to inject approval into the sandbox's RPC loop.
This is not a real sandbox (no container, namespace, seccomp, or cgroup isolation). The child process runs as the same user on the same machine — it can do anything the user can do.
Risk assessment
Critical. Any LLM prompt injection or confused deputy scenario where the agent generates sandbox code could result in arbitrary command execution as the user.
Fix
Remove terminal from SANDBOX_ALLOWED_TOOLS. The terminal tool remains available as a direct LLM tool call, protected by check_dangerous_command() with the 78-pattern dangerous command detection and user approval flow.
Proposed fix branch
fix/security-remove-terminal-from-sandbox — see PR #4143
References
- Spec:
.claude/docs/superpowers/specs/2026-03-30-remove-terminal-from-sandbox-design.md
Description
The
execute_codesandbox intools/code_execution_tool.pyincludesterminalinSANDBOX_ALLOWED_TOOLS. This allows LLM-generated Python code running inside the sandbox to execute arbitrary shell commands on the host via the RPCterminal()stub — bypassing thecheck_dangerous_command()approval system that protects the directterminaltool call.Attack flow
terminal("rm -rf /home/user")via the RPC stubterminalis in the allowlistRoot cause
SANDBOX_ALLOWED_TOOLSintools/code_execution_tool.pycontains"terminal". The dangerous command approval system relies on an interactive session context that does not exist in the sandbox subprocess. There is no TTY, no user to approve, and no mechanism to inject approval into the sandbox's RPC loop.This is not a real sandbox (no container, namespace, seccomp, or cgroup isolation). The child process runs as the same user on the same machine — it can do anything the user can do.
Risk assessment
Critical. Any LLM prompt injection or confused deputy scenario where the agent generates sandbox code could result in arbitrary command execution as the user.
Fix
Remove
terminalfromSANDBOX_ALLOWED_TOOLS. The terminal tool remains available as a direct LLM tool call, protected bycheck_dangerous_command()with the 78-pattern dangerous command detection and user approval flow.Proposed fix branch
fix/security-remove-terminal-from-sandbox— see PR #4143References
.claude/docs/superpowers/specs/2026-03-30-remove-terminal-from-sandbox-design.md