Primary

Context

JunoClaw Plugin-Shell Shell-Metacharacter Injection Vulnerability

Vulnerability

A shell-metacharacter injection vulnerability has been identified in the JunoClaw AI platform, specifically within the plugin-shell component, in versions prior to v0.x.y-security-1. The issue arises because the run_command function wrapped agent-supplied commands in a shell command execution wrapper, passing the entire argument string to the shell's parser. This allowed shell metacharacters in agent-provided arguments to be interpreted as command syntax, creating a potential for injection attacks.

Impact

Exploitation of this vulnerability allowed for shell metacharacter injection, where metacharacters in agent-supplied arguments were interpreted as command syntax by the shell. This could have been used to manipulate command execution in a harmful way.

Remediation

Users can upgrade to JunoClaw version v0.x.y-security-1 or later to address this vulnerability. Instructions for upgrading are available in the JunoClaw repository's release notes.

Added: May 12, 2026, 5:38 PM

Updated: May 12, 2026, 5:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.3

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.3

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JunoClaw Plugin-Shell Shell-Metacharacter Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Dragonmonk111 JunoClaw

Dragonmonk111 JunoClaw plugin-shell

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating