CVE-2026-16085
Received Received - Intake

Inclusion of Untrusted Functionality in Sipeed PicoClaw

Vulnerability report for CVE-2026-16085, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-18
EPSS Evaluated
2026-07-18
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sipeed picoclaw to 0.2.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a prompt injection flaw in Sipeed PicoClaw up to version 0.2.9. The issue occurs in the NewContextBuilder function of pkg/agent/context.go. When the PICOCLAW_BUILTIN_SKILLS environment variable is unset, PicoClaw automatically loads metadata from untrusted local skills directories (./skills/) using the current working directory. An attacker can place a malicious SKILL.md file in this directory, which is then silently injected into the AI's system prompt without user action or trust verification.

Detection Guidance

Check for unexpected SKILL.md files in ./skills/ directories within cloned repositories. Inspect environment variables for PICOCLAW_BUILTIN_SKILLS. Review system prompts for injected content from local directories.

Impact Analysis

An attacker could manipulate the AI's system prompt by placing a malicious file in a cloned repository's skills folder. This could bias the AI's behavior, alter tool selection, or influence actions without requiring network access. The attack is local and requires only write access to the repository directory.

Compliance Impact

This vulnerability involves inclusion of functionality from an untrusted control sphere, which could lead to unauthorized data access or manipulation. For GDPR, this may violate principles of data integrity and confidentiality (Article 5) and could result in unauthorized processing. Under HIPAA, it risks exposing protected health information if exploited in healthcare contexts, violating the Security Rule's integrity and confidentiality requirements.

Mitigation Strategies

Set PICOCLAW_BUILTIN_SKILLS to a trusted directory path. Remove untrusted repository-local skills/ directories. Update PicoClaw to a patched version if available. Monitor system prompts for suspicious inclusions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart