The vulnerability in OpenHuman desktop agent (<=0.54.0) involves two flaws in the SecurityPolicy's shell tool command allowlist: (1) is_args_safe() blocks the find command flags -exec and -ok but not the equivalent -execdir and -okdir, which also execute arbitrary commands; (2) skip_env_assignments() removes leading inline environment variable assignments before allowlist validation, allowing commands like GIT_EXTERNAL_DIFF=<cmd> git diff to bypass checks and execute arbitrary commands via git hooks. Because the sandbox is the main trust boundary between untrusted LLM-processed content and the host OS, an attacker can exploit this via indirect prompt injection through malicious documents or web content, resulting in remote code execution and other severe impacts. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 and first released in version 0.56.0, which blocks the -execdir and -okdir flags.

Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the desktop user, leading to remote code execution, data exfiltration, arbitrary file read/write, and lateral movement on the affected machine. This compromises the primary sandbox trust boundary, enabling attackers to leverage indirect prompt injection vectors such as malicious documents, emails, calendar events, or web pages processed by the agent.

A fix is available and was introduced in OpenHuman version 0.56.0, which blocks the -execdir and -okdir flags in the find command to prevent bypass of the shell tool command allowlist. Users should upgrade to version 0.56.0 or later. Since this is a cloud-hosted service, the vendor manages remediation server-side; users should verify with the vendor advisory for current patch status and ensure their desktop agents are updated accordingly.