trace_9a554ed0064a418d958a8ec2aaf8fca2

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start at `extensions/openshell/src/config.ts`, trace `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` through config resolution into mirror-mode sync behavior, and explain how insufficient root scoping can make remote cleanup or overwrite target an unintended directory.

{
  "executiveSummary": "The OpenShell extension in OpenClaw contains a path traversal / arbitrary deletion vulnerability due to insufficient validation of configured remote workspace directories. When the OpenShell mirror mode is active, the backend relies on user-configurable `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values to dictate where files are synced. Because these directory properties are merely required to be absolute paths (starting with `/`) and undergo no further workspace-scoping checks, an attacker who controls the OpenShell configuration could set them to sensitive remote paths like `/` or `/etc`. When the mirror sync occurs, the backend issues an unrestrained `find ... -exec rm -rf {} +` command against the configured directory, potentially deleting the entire remote filesystem or overwricting it with synchronized content.",
  "reports": [
    {
      "title": "Arbitrary Remote Directory Deletion and Overwrite in OpenShell Mirror Mode",
      "severity": "HIGH",
      "summary": "OpenShell mis-scopes remote workspace directories, leading to arbitrary directory cleanup and overwrite in mirror mode.",
      "rootCauseAnalysis": "The config resolution (`resolveOpenShellPluginConfig` and `normalizeRemotePath`) verifies the remote path is an absolute path, but fails to restrict it to a predefined, safe subdirectory managed by OpenShell. When in mirror mode, the backend unconditionally cleans the provided paths relying exclusively on an uncontrolled configuration value to construct a generic remote shell `rm -rf` script. Because the cleanup operation uses this path to erase existing directories prior to mirroring, providing an arbitrary target triggers deletion of unintended filesystem segments before overwritten.",
      "impact": "The vulnerability allows an attacker to perform unauthorized file deletion and overwriting within the remote OpenShell container/sandbox environment. By specifying `/` or other critical paths as the syncing targets, an attacker can destroy the remote container environment (Denial of Service) or overwrite critical operational paths with arbitrary content.",
      "attackPath": "1. An attacker modifies the OpenShell plugin configuration (e.g. by supplying a malicious `.openclaw/config.yaml` or through plugin config APIs) setting `mode: \"mirror\"` and `remoteWorkspaceDir` to `/` (or another critical directory like `/home/user`).\n2. The `resolveOpenShellPluginConfig` function normalizes the input but only verifies that it starts with `/`.\n3. When the sandbox is launched or an execution prepares, `OpenShellSandboxBackendImpl.prepareExec` invokes `syncWorkspaceToRemote()` for mirror mode.\n4. `syncWorkspaceToRemote` runs `mkdir -p -- \"$1\" && find \"$1\" -mindepth 1 -maxdepth 1 -exec rm -rf -- {} +`, passing the configured remote workspace directory (`/`) as `$1`.\n5. This leads to the immediate deletion of all files in the root directory (or whatever targeted sensitive path) within the sandbox or t