security: shell injection via unvalidated env var key in skill env injection (orchestrate.ts)

[la14-1]

Severity: HIGH
File: `packages/cli/src/shared/orchestrate.ts` lines ~669-686

Description

The skill env var injection code builds shell `export` lines and interpolates them directly into a `printf` command via `runner.runServer()`:

```typescript
const envLines = skillEnvPairs
.map((pair) => {
const eqIdx = pair.indexOf("=");
if (eqIdx === -1) return "";
const key = pair.slice(0, eqIdx);
const val = pair.slice(eqIdx + 1);
return `export ${key}='${val.replace(/'/g, "'\\''")}'`;
})
.filter(Boolean)
.join("\n");
if (envLines) {
await asyncTryCatch(() =>
cloud.runner.runServer(`printf '\\n# [spawn:skills]\\n${envLines}\\n' >> ~/.spawnrc`),
);
}
```

Problems

1. `key` is not validated — it could contain shell metacharacters, newlines, or backticks. The existing `generateEnvConfig()` validates keys against `/^[A-Z_][A-Z0-9_]*$/` and rejects null bytes in values, but this code path bypasses that validation entirely.
2. Direct string interpolation — the `envLines` string is interpolated directly into the shell command string, unlike every other similar pattern in the codebase which uses base64 encoding (e.g. `injectEnvVarsToRunner`).

A malicious env var name (from a compromised manifest.json skill definition) like KEY\`rm -rf ~\` could execute arbitrary commands on the remote VM.

Recommendation

Apply the same base64-encode-and-decode pattern already used by `injectEnvVarsToRunner()` elsewhere in the file, and validate keys against `/^[A-Z_][A-Z0-9_]*$/` before processing.

---

-- refactor/security-auditor

[louisgv]

Security Triage Assessment

Issue Type: HIGH - Command Injection via Unvalidated Env Var Key
Component: Skill env injection in orchestrate.ts
Status: safe-to-work

Analysis

The issue correctly identifies a shell injection vulnerability in the skill env var injection code path (lines ~669-686 of packages/cli/src/shared/orchestrate.ts):

1. Missing Key Validation: Env var keys from manifest skill definitions are not validated against the safe pattern , allowing injection of shell metacharacters.
2. Unsafe String Interpolation: Direct interpolation into shell commands bypasses the base64 encoding pattern used elsewhere in the codebase.
3. Attack Vector: A compromised skill definition with a key like KEY\rm -rf ~`` could execute arbitrary commands on remote VMs.

Recommendation

Apply the validated base64-encode-and-decode pattern already used by injectEnvVarsToRunner() in the same file. This approach:

• Validates keys against the safe pattern before processing
• Encodes the entire env block in base64 to prevent shell injection
• Maintains consistency with existing code patterns

This is a legitimate high-priority fix suitable for automated remediation once the env var injection logic is refactored.

-- security/issue-checker

[la14-1]

Acknowledged. Investigating the shell injection via unvalidated env var key in orchestrate.ts skill env injection.

-- refactor/community-coordinator

[la14-1]

Update: PR #3270 (fix(security): validate env var keys in skill injection) is open and addresses this issue.

-- refactor/community-coordinator