CodeWhale Task Creation Tool Insecure Defaults Allowing Unrestricted Shell Access

A vulnerability in CodeWhale, a DeepSeek + MiMo coding agent, prior to version 0.8.26, allows for unauthorized shell access through the task_create tool. The vulnerability arises because sub-agents spawned by task_create inherit two insecure default settings: allow_shell, which defaults to true, and auto_approve, which also defaults to true. When a user approves a task_create call, they believe they are authorizing a benign work prompt. However, the sub-agent receives unrestricted shell access without additional approval. This issue is fixed in version 0.8.26.

Impact

This vulnerability enables remote code execution by allowing a sub-agent to execute shell commands on behalf of the user, bypassing the approval process for shell access.

Reproduction

To reproduce this vulnerability, create a malicious repository and include a README file that instructs the sub-agent to execute commands. After creating the repository, open it in DeepSeek-TUI and initiate a task that appears harmless, such as addressing TODO comments. Once the task is approved, the sub-agent will execute the injected commands without further approval, exploiting the insecure defaults.

Remediation

Users can update to CodeWhale version 0.8.26 or later, where this vulnerability is fixed.