What happened
NVD published a medium-severity (CVSS 5.3) TOCTOU vulnerability in PicoClaw's agent tool execution pipeline, allowing a local attacker to manipulate the working directory between check and use.
Why it matters
While requiring local access limits blast radius, TOCTOU flaws in agent tool executors can be used to redirect file operations performed by an AI agent to attacker-controlled paths, an important class of bug for sandboxed/edge AI agent runtimes like PicoClaw.
Attack vector
The ExecTool.executeRun function in pkg/agent/pipeline_execute.go is vulnerable to a TOCTOU race condition via manipulation of the cwd argument; the attack must be carried out locally, with a publicly available exploit.
Affected systems
Sipeed PicoClaw up to 0.2.9
Mitigation
No official patch confirmed at disclosure time; avoid untrusted local access to PicoClaw agent execution environments pending a fix.