PicoClaw Security Audit
Greyforge Labs Findings
We were alerted to PicoClaw through unusual algorithmic amplification patterns, then conducted a full local defensive audit. The result: no proven covert implant, but multiple critical exploit paths that can act like practical backdoors when deployed without strict hardening.
Executive Summary
Greyforge Labs reviewed the PicoClaw source and control flow with static analysis plus local proof-of-concept validation. We identified a set of high-impact weaknesses that materially increase compromise risk in real deployments.
Top-line verdict
- Critical containment bypass in workspace path checks.
- Untrusted inbound message pathways can reach shell-capable agent tooling.
- Certain listener/channel configurations expose unauthenticated ingress.
- SSRF-capable web-fetch behavior can query internal targets.
We did not find conclusive evidence of a deliberate covert C2 implant. We did find multiple backdoor-like exploit surfaces that require immediate hardening before high-trust production use.
Why We Audited It
The trigger for this review was discovery behavior that looked manipulated. Given long-standing supply-chain and ecosystem trust concerns in mixed hardware/software stacks, we treated that signal as a risk indicator and executed a full defensive audit using local tooling and direct code tracing.
We intentionally separated evidence from attribution: risk is confirmed by code behavior, while intent requires a higher burden of proof.
Confirmed Findings
| Severity | Finding | Impact |
|---|---|---|
| Critical | Workspace path containment bypass | Out-of-scope file read/write |
| Critical | Untrusted channel input to shell-capable toolchain | Potential remote command execution path |
| Critical | Unauthenticated listener exposure in channel mode | Unauthorized inbound event injection |
| High | SSRF in web fetch capability | Internal service probing and data retrieval |
| High | Blacklist-style command guard model | Bypass risk under adversarial prompts |
Intent vs. Exploitability
There is a meaningful difference between proving an intentional hidden backdoor and proving an exploitable backdoor-like condition. In this case, we confirmed the latter with high confidence.
Our current evidence does not justify a definitive claim that covert malicious logic was intentionally inserted. It does justify immediate hardening and strict deployment constraints.
Recommended Remediation Path
Immediate (0-24h)
- Replace prefix path checks with canonical containment + symlink-safe resolution.
- Disable shell tool for externally reachable channels.
- Require explicit allowlists when any channel is enabled.
- Default all listener binds to localhost unless manually overridden.
High Priority (24-72h)
- Add SSRF guards: deny localhost, link-local, RFC1918/private ranges, and metadata endpoints.
- Enforce request size limits and event backpressure.
- Tighten file permissions on config/log outputs containing sensitive material.
Technical Appendix for Researchers
The full evidence-backed Markdown report remains available internally and includes line-referenced findings with local PoC validation notes:Greyforge internal security archive (private).
Research emphasis: containment validation logic, tool invocation trust boundaries, channel ingress controls, and fetch-layer SSRF policy.
Closing Position
Security posture is a property of deployed behavior, not branding. PicoClaw can be hardened, but in reviewed form it is not a safe default for high-trust deployment.
Greyforge Labs will continue audit-driven publication as part of our security research track while we expand ForgeQuant and ForgeOps hardening pipelines.