fix(security): trust resolved skill-bin paths in allowlist auto-allow

src/node-host/invoke-system-run.test.ts

@@ -2,6 +2,7 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { describe, expect, it, vi } from "vitest";
+import { saveExecApprovals } from "../infra/exec-approvals.js";
 import type { ExecHostResponse } from "../infra/exec-host.js";
 import { handleSystemRunInvoke, formatSystemRunAllowlistMissMessage } from "./invoke-system-run.js";
 
@@ -49,7 +50,7 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {
         sessionKey: "agent:main:main",
       },
       skillBins: {
-        current: async () => new Set<string>(),
+        current: async () => [],
       },
       execHostEnforced: false,
       execHostFallbackAllowed: true,
@@ -187,7 +188,7 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {
         sessionKey: "agent:main:main",
       },
       skillBins: {
-        current: async () => new Set<string>(),
+        current: async () => [],
       },
       execHostEnforced: false,
       execHostFallbackAllowed: true,
@@ -226,6 +227,85 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {
     }
   });
 
+  it("denies ./skill-bin even when autoAllowSkills trust entry exists", async () => {
+    const tempHome = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-skill-path-spoof-"));
+    const previousOpenClawHome = process.env.OPENCLAW_HOME;
+    const skillBinPath = path.join(tempHome, "skill-bin");
+    fs.writeFileSync(skillBinPath, "#!/bin/sh\necho should-not-run\n", { mode: 0o755 });
+    fs.chmodSync(skillBinPath, 0o755);
+    process.env.OPENCLAW_HOME = tempHome;
+    saveExecApprovals({
+      version: 1,
+      defaults: {
+        security: "allowlist",
+        ask: "on-miss",
+        askFallback: "deny",
+        autoAllowSkills: true,
+      },
+      agents: {},
+    });
+    const runCommand = vi.fn(async () => ({
+      success: true,
+      stdout: "local-ok",
+      stderr: "",
+      timedOut: false,
+      truncated: false,
+      exitCode: 0,
+      error: null,
+    }));
+    const sendInvokeResult = vi.fn(async () => {});
+    const sendNodeEvent = vi.fn(async () => {});
+
+    try {
+      await handleSystemRunInvoke({
+        client: {} as never,
+        params: {
+          command: ["./skill-bin", "--help"],
+          cwd: tempHome,
+          sessionKey: "agent:main:main",
+        },
+        skillBins: {
+          current: async () => [{ name: "skill-bin", resolvedPath: skillBinPath }],
+        },
+        execHostEnforced: false,
+        execHostFallbackAllowed: true,
+        resolveExecSecurity: () => "allowlist",
+        resolveExecAsk: () => "on-miss",
+        isCmdExeInvocation: () => false,
+        sanitizeEnv: () => undefined,
+        runCommand,
+        runViaMacAppExecHost: vi.fn(async () => null),
+        sendNodeEvent,
+        buildExecEventPayload: (payload) => payload,
+        sendInvokeResult,
+        sendExecFinishedEvent: vi.fn(async () => {}),
+        preferMacAppExecHost: false,
+      });
+    } finally {
+      if (previousOpenClawHome === undefined) {
+        delete process.env.OPENCLAW_HOME;
+      } else {
+        process.env.OPENCLAW_HOME = previousOpenClawHome;
+      }
+      fs.rmSync(tempHome, { recursive: true, force: true });
+    }
+
+    expect(runCommand).not.toHaveBeenCalled();
+    expect(sendNodeEvent).toHaveBeenCalledWith(
+      expect.anything(),
+      "exec.denied",
+      expect.objectContaining({ reason: "approval-required" }),
+    );
+    expect(sendInvokeResult).toHaveBeenCalledWith(
+      expect.objectContaining({
+        ok: false,
+        error: expect.objectContaining({
+          message: "SYSTEM_RUN_DENIED: approval required",
+        }),
+      }),
+    );
+  });
+
   it("denies env -S shell payloads in allowlist mode", async () => {
     const { runCommand, sendInvokeResult } = await runSystemInvoke({
       preferMacAppExecHost: false,