# PicoClaw Security Audit - Public Proof Note

Date: 2026-02-16  
Status: public scrubbed note  
Prepared by: Greyforge Labs

Related chronicle: https://greyforge.tech/chronicles/picoclaw-security-audit-greyforge-labs  
Audited repo: https://github.com/sipeed/picoclaw

## Public Scope

This note exists so the public chronicle is inspectable without publishing exploit-ready reproduction details.

Greyforge reviewed the public PicoClaw codebase with static analysis, manual source tracing, and controlled local validation of the most security-sensitive paths.

We did not run unauthorized attacks against third-party systems.

## Public Verdict

Greyforge did not confirm an intentional covert backdoor.

Greyforge did confirm multiple high-risk conditions that can behave like practical backdoor surfaces when the software is deployed without strict hardening.

That is enough to block any high-trust deployment recommendation.

## Findings At A Glance

| Severity | Finding family | Public impact summary |
| --- | --- | --- |
| Critical | Workspace containment failure | Out-of-scope file read/write becomes plausible |
| Critical | Untrusted input reaching shell-capable tooling | Remote command execution risk chain under weak channel policy |
| Critical | Weak or missing ingress authentication in some modes | Unauthorized event injection path |
| High | Web fetch trust boundary weakness | Internal service probing and data retrieval risk |
| High | Convenience-first command guard model | Adversarial bypass pressure against safety policy |

## What We Are Publishing

- the existence and severity of the finding families
- the public deployment verdict
- the hardening priorities
- the distinction between exploitability and intent

## What We Are Not Publishing

- exact file and line references
- reproduction strings or exploit payloads
- private validation artifacts
- internal notes that would materially lower the effort required to weaponize the issues

## Hardening Priorities

1. Replace prefix-style path checks with canonical containment checks that resolve ambiguity safely.
2. Treat externally reachable channels as low-trust by default and remove shell-capable authority from them.
3. Require explicit allowlists and safer bind defaults for inbound listeners.
4. Add SSRF policy to fetch behavior, including localhost, metadata, and private-network protections.
5. Tighten file permission defaults and request-pressure controls.

## Why This Public Note Exists

Greyforge publishes security criticism with evidence surfaces when practical.

The chronicle makes the argument.
This note makes the argument inspectable.
The withheld details protect against turning an audit note into a shortcut for abuse.