Skip to content

Discrepancies and security issues #19

New issue
New issue
Open
1 of 1 issue completed
Open
Discrepancies and security issues#19
1 of 1 issue completed
@dwbutler

Description

@dwbutler
dwbutler
opened on Feb 10, 2026

Hi, thanks for creating this project. I'm interested in trying it, so I cloned the source code, threw it into Codex, and asked:

Examine this project and tell me whether it does what it says (in the README) and whether you find anything insecure that should concern me about running this in a separate user account and sandboxed (so dockerized)

I think this answer potentially indicates real issues:

Short answer: partially. The core architecture is real, but there are important README mismatches and at least one critical security issue.

Security Findings (highest risk first)

  1. Critical: remote command injection via message text
    Untrusted message content is interpolated into a shell command in execSync(...) and only " is escaped, so shell expansions like $(...) can execute.
    Reference: /Users/Shared/tinyclaw/src/queue-processor.ts:97

  2. High: untrusted users can drive Claude with full local permissions
    Incoming Discord/WhatsApp messages are forwarded to Claude with --dangerously-skip-permissions, and there is no sender allowlist. Any DM (Discord) or direct chat (WhatsApp) can trigger privileged actions inside the runtime account/container.
    References: /Users/Shared/tinyclaw/src/queue-processor.ts:97, /Users/Shared/tinyclaw/src/discord-client.ts:129, /Users/Shared/tinyclaw/src/whatsapp-client.ts:140

  3. Medium: Chromium sandbox explicitly disabled
    WhatsApp Puppeteer runs with --no-sandbox and --disable-setuid-sandbox. In Docker this is common, but it increases impact if browser content is exploited.
    Reference: /Users/Shared/tinyclaw/src/whatsapp-client.ts:69

  4. Medium: plaintext secrets and chat snippets at rest
    Discord token is stored in .tinyclaw/settings.json and copied to .env; logs include sender/message snippets.
    References: /Users/Shared/tinyclaw/setup-wizard.sh:97, /Users/Shared/tinyclaw/tinyclaw.sh:108, /Users/Shared/tinyclaw/src/discord-client.ts:141, /Users/Shared/tinyclaw/src/whatsapp-client.ts:145

Does it match README?

  • Mostly yes: Discord/WhatsApp clients, queue-based processing, tmux orchestration, and conversation continuity are implemented.
  • Not accurate in key places:
  1. README says Discord supports “DMs and mentions”, but code ignores guild messages (mentions in servers).
    References: /Users/Shared/tinyclaw/README.md:199, /Users/Shared/tinyclaw/src/discord-client.ts:130
  2. README says model switching works via settings, but queue processor reads .tinyclaw/model (never written), not .tinyclaw/settings.json.
    References: /Users/Shared/tinyclaw/README.md:166, /Users/Shared/tinyclaw/src/queue-processor.ts:17, /Users/Shared/tinyclaw/setup-wizard.sh:96, /Users/Shared/tinyclaw/tinyclaw.sh:501
  3. README documents ./tinyclaw.sh logs queue, but tinyclaw.sh has no queue log case.
    References: /Users/Shared/tinyclaw/README.md:173, /Users/Shared/tinyclaw/tinyclaw.sh:397
  4. README says Node v14+, but locked deps require Node >=18.
    References: /Users/Shared/tinyclaw/README.md:49, /Users/Shared/tinyclaw/package-lock.json:893, /Users/Shared/tinyclaw/package-lock.json:2227

For your separate account + Docker plan
Running in a separate user and container helps, but as-is I would still treat this as unsafe against untrusted message senders until the critical injection and permission model are fixed.
If you must run now, isolate hard: non-root container, no privileged mode, no Docker socket, minimal/no host mounts, and strict outbound network limits.

I did a static audit (no live Discord/WhatsApp/Claude execution).

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    TinyAGI Roadmap

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions