Summary
The CLI allows combining --mount-rw (host filesystem read-write access) with the mcp subcommand. This means all MCP tool requests from potentially untrusted LLM agents get full read-write access to the host filesystem. There is no warning, confirmation, or safety check for this dangerous combination.
Threat category: TM-ESC (Sandbox Escape) — extends existing category
Severity: Medium
Component: crates/bashkit-cli/src/main.rs, build_bash() function
Root Cause
The build_bash() function applies --mount-rw mounts identically for all modes (CLI, Script, MCP). In CLI/Script mode, the user explicitly chose to run a script so this is expected. In MCP mode, requests come from LLM agents and should have stricter defaults.
fn build_bash(args: &Args, mode: CliMode) -> bashkit::Bash {
// ... same mount logic for all modes ...
#[cfg(feature = "realfs")]
{
builder = apply_real_mounts(builder, &args.mount_ro, &args.mount_rw);
}
// ...
}Steps to Reproduce
# Start MCP server with full host filesystem access
bashkit mcp --mount-rw /
# Any MCP tools/call request can now:
# - Read any file: cat /etc/passwd
# - Write any file: echo "pwned" > /etc/motd
# - Delete files: rm -rf /important/data
Impact
- Host filesystem compromise: LLM agents can read/write/delete any file the process has access to
- Credential theft: Agents can read SSH keys, API tokens, config files
- Lateral movement: Agents can modify system files, install backdoors
Acceptance Criteria
Proposed Fix
In main.rs, after parsing args and determining mode is MCP:
if mode == CliMode::Mcp && !args.mount_rw.is_empty() {
eprintln!("WARNING: --mount-rw in MCP mode gives LLM agents read-write access to host files.");
eprintln!(" This breaks the sandbox boundary. Use --mount-ro for safer access.");
}
Summary
The CLI allows combining
--mount-rw(host filesystem read-write access) with themcpsubcommand. This means all MCP tool requests from potentially untrusted LLM agents get full read-write access to the host filesystem. There is no warning, confirmation, or safety check for this dangerous combination.Threat category: TM-ESC (Sandbox Escape) — extends existing category
Severity: Medium
Component:
crates/bashkit-cli/src/main.rs,build_bash()functionRoot Cause
The
build_bash()function applies--mount-rwmounts identically for all modes (CLI, Script, MCP). In CLI/Script mode, the user explicitly chose to run a script so this is expected. In MCP mode, requests come from LLM agents and should have stricter defaults.Steps to Reproduce
Impact
Acceptance Criteria
--mount-rwis used withmcpsubcommand--i-know-what-im-doingflag for--mount-rwin MCP mode--mount-rwhelp textProposed Fix
In
main.rs, after parsing args and determining mode is MCP: