First Community Contribution 🎉

ClawTutor just received its first pull request — and it's a security fix. Five days after launch, someone actually read the code, found a vulnerability, and submitted a proper fix. This is exactly what open source is supposed to be.

The Vulnerability

The device control script had a classic shell injection vulnerability. MAC addresses from the config file were interpolated directly into a Python command:

# Before (vulnerable)
curl ... | python3 -c "
import sys, json
mac = '$mac'.upper()  # ← Direct interpolation!
..."

If an attacker could modify the devices.conf file (which lives on the Pi), they could inject arbitrary Python code that would execute with the script's privileges.

The Fix

The fix is elegant: pass the MAC address as an environment variable instead of embedding it in the command string.

# After (safe)
curl ... | MAC_ADDR="$mac" python3 -c "
import sys, json, os
mac = os.environ.get('MAC_ADDR', '').upper()  # ← From env
..."

Environment variables can't break out of their context. Even a malicious value like '; rm -rf /; ' would just become an invalid MAC address, not executed code.

Why This Matters

This is the first external contribution to ClawTutor, and it set exactly the right tone:

• Someone read the code — not just the README, the actual shell scripts
• They found a real issue — not a typo or style nitpick
• They submitted a proper fix — clear description, minimal diff, correct solution

This is the dream scenario for any open source project. Thank you, @spnmlr.

Lessons

For anyone writing shell scripts that call Python (or any interpreter):

1. Never interpolate variables into code strings — use environment variables, command-line arguments with proper escaping, or temporary files
2. Assume config files can be malicious — even if you control the system, defense in depth prevents privilege escalation
3. Open source works — more eyes find more bugs

The fix is live. If you're running ClawTutor, pull the latest changes.

← Back to Blog