What happened
rtk's permission splitter, which decides whether a shell command is allowed before its output is filtered into LLM context, fails to conservatively reject or split several Bash constructs that are command-execution boundaries. An allowed command prefix can be followed by subshells or nested execution to achieve arbitrary command execution.
Why it matters
rtk sits between the shell and the LLM context window — it is a security control for AI coding agents. Bypassing its permission splitter means attacker-controlled content (e.g. from a project's Makefile or shell scripts) can execute arbitrary commands in the context of the LLM's execution environment, completely subverting the tool's safety purpose.
Attack vector
A command beginning with an allowed prefix but containing shell constructs that Bash treats as execution boundaries (subshells, process substitution, command grouping) bypasses the permission splitter's conservative-split logic, executing attacker-controlled code under the guise of an approved command
Affected systems
rtk (rtk-ai/rtk) < 0.42.2
Mitigation
Upgrade to rtk 0.42.2. Advisory: https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327