Vulnerability: Sandbox escape, AI accesses files outside workspace via PowerShell and $env bypassing any external_directory restrictions

[oniguru-dev]

Description

The external_directory permission is designed to prevent the AI agent from reading or writing files outside of the working directory without explicit user consent. However, this restriction can be entirely bypassed when the agent executes shell commands using PowerShell and environment variables (e.g., using $env:USERPROFILE or other paths).

Because the security check only validates paths passed to built-in filesystem tools (like read, write, grep), running arbitrary commands via PowerShell allows the agent to read and write files anywhere on the host system without triggering the external_directory prompt.

Plugins

None / Default

MiMoCode version

v0.1.1

Steps to reproduce

1. Initialize MiMoCode in a clean workspace directory.
2. Ensure that external_directory permission is set to ask or deny in your configuration (mimocode.json).
3. Ask the agent to read or write a file outside the workspace using PowerShell, for example:
   "Use PowerShell to read the contents of $env:USERPROFILE\Documents\some_file.txt"
4. Observe that the agent executes the command successfully and displays the file content, bypassing the filesystem boundary without prompting for external_directory permission.

Screenshot and/or share link

(downloading file to $env:TEMP (or any other env) without permission request)

Operating System

Windows 10

Terminal

Visual Studio Code / PowerShell