What version of Kimi Code is running?
0.16.0
Which open platform/subscription were you using?
Kimi Code (OAuth)
Which model were you using?
No response
What platform is your computer?
No response
What issue are you seeing?
The Bash tool currently embeds the working directory into a generated shell command:
const shellArgs = [
this.kaos.osEnv.shellPath,
'-c',
cd ${shellQuote(shellCwd)} && ${command},
];
After investigation, I could not reproduce the originally reported command injection scenario because shellQuote() correctly wraps the path in single quotes.
However, the current implementation still constructs shell source code unnecessarily. Embedding cwd into a shell string:
- increases security audit complexity,
- makes future regressions easier,
- duplicates functionality already provided by the process execution layer.
The working directory can be set directly when spawning the process instead of generating:
cd '' &&
I have verified that replacing this with process-level cwd configuration preserves behavior while removing shell interpolation of the working directory entirely.
What steps can reproduce the bug?
This is not a confirmed command injection vulnerability.
The issue can be observed by inspecting the current implementation in:
packages/agent-core/src/tools/builtin/shell/bash.ts
Current behavior:
const shellArgs = [
shellPath,
'-c',
cd ${shellQuote(shellCwd)} && ${command},
];
Expected behavior:
this.kaos
.withCwd(effectiveCwd)
.execWithEnv([shellPath, '-c', command], env);
This avoids embedding the working directory into shell source code and delegates cwd handling to the process execution layer.
Validation performed:
- cwd is passed via kaos.withCwd()
- cwd no longer appears in the generated bash -c string
- existing command execution behavior is unchanged
- Windows nul handling continues to work
- related tests pass successfully
What is the expected behavior?
No response
Additional information
No response
What version of Kimi Code is running?
0.16.0
Which open platform/subscription were you using?
Kimi Code (OAuth)
Which model were you using?
No response
What platform is your computer?
No response
What issue are you seeing?
The Bash tool currently embeds the working directory into a generated shell command:
const shellArgs = [
this.kaos.osEnv.shellPath,
'-c',
cd ${shellQuote(shellCwd)} && ${command},];
After investigation, I could not reproduce the originally reported command injection scenario because shellQuote() correctly wraps the path in single quotes.
However, the current implementation still constructs shell source code unnecessarily. Embedding cwd into a shell string:
The working directory can be set directly when spawning the process instead of generating:
cd '' &&
I have verified that replacing this with process-level cwd configuration preserves behavior while removing shell interpolation of the working directory entirely.
What steps can reproduce the bug?
This is not a confirmed command injection vulnerability.
The issue can be observed by inspecting the current implementation in:
packages/agent-core/src/tools/builtin/shell/bash.ts
Current behavior:
const shellArgs = [
shellPath,
'-c',
cd ${shellQuote(shellCwd)} && ${command},];
Expected behavior:
this.kaos
.withCwd(effectiveCwd)
.execWithEnv([shellPath, '-c', command], env);
This avoids embedding the working directory into shell source code and delegates cwd handling to the process execution layer.
Validation performed:
What is the expected behavior?
No response
Additional information
No response