Summary

A malicious workspace could include a symlink (e.g. a SKILL.md pointing at ~/.ssh/id_rsa or ~/.aws/credentials) and wta understand . would follow it, scan the file, and emit its path and snippets into report.html and understand.json. Confirmed empirically against 0.2.0.

Impact

Local file disclosure to the user running wta. An attacker who controls the contents of a workspace (e.g. a published "skill pack" on a marketplace, a shared dev container, or a malicious PR) can cause WhatTheAgent to read files from anywhere on the user's filesystem that the user has read access to, and to embed paths and content snippets from those files into the generated .wta/ report. If the user then shares that report (PR comment, support ticket, Slack), the disclosure is amplified.

Not RCE. No code execution, no privilege escalation. No CVE has been requested.

Affected versions

• 0.2.0 — affected
• 0.1.0 — affected (now deprecated as a preview cut anyway)
• >= 0.2.1 — fixed

Fix

Two layers in src/utils/fileWalker.ts:

1. glob is invoked with follow: false, preventing traversal through symlinked directories during the walk.
2. After globbing, every matched path is resolved with fs.realpath. Any file whose real location escapes the resolved scan root is dropped before it is read, parsed, or quoted into evidence. Intra-workspace symlinks (which resolve back inside the root) remain scannable.

Three regression tests in tests/utils/fileWalker.test.ts lock the behaviour in using the exact PoC that motivated the fix.

How to upgrade

npm install -g whattheagent@latest # picks up 0.2.1
# or pin:
npm install -g whattheagent@0.2.1

If you ran 0.2.0 against an untrusted workspace and shared the resulting .wta/ outputs, review them now to see if any unexpected file paths or snippets ended up in the report.

Credit

Discovered during dogfooding while writing this project's own threat model (eat-your-own-dog-food working as intended).

Full changelog

See CHANGELOG.md for the complete entry. The npm artifact is at https://www.npmjs.com/package/whattheagent.

🤖 Generated with Claude Code

The "we're going public" release. Big visual + scope cleanup since 0.1.0 plus open-source scaffolding.

Highlights

• Mascot and animated terminal demo in the README, both inline SVG (no external assets).
• Sharper "Why this exists" section + npm / license / Node / tests / status badges.
• Open-source scaffolding — CONTRIBUTING, CODE_OF_CONDUCT, RELEASE, issue templates (bug / false-positive / feature), PR template.
• Dependabot config and CodeQL workflow.
• A "Non-goals" section in docs/ROADMAP.md that explicitly puts sandbox capability probing, runtime monitoring/enforcement, SaaS dashboards, and silent fixes out of scope.

Removed

• wta probe and wta runtime commands. Sandbox capability probing and runtime enforcement are now explicit non-goals — credible sandboxes already exist (gVisor / nsjail / Docker), and the agent vendors are building runtime observability themselves. WhatTheAgent stays static and local-first; the chain-detection idea + the policy/ack workflow are the moat.
• Supporting types (ProbePlan, SandboxProbe, RuntimePlan, RuntimeMode) and their console formatters.
• CapabilityState pruned from six values to three (declared | inferred | unknown).
• Dead src/cli/ scaffolding that was never wired into cli.ts.

Changed

• All audience docs (readme/README.md, personal-agents.md, workspace-stations.md, agent-instructions.md) brought up to date with the current command surface (--chat, --open, --exclude, --from-scan, --reason-from-stdin, wta ack, wta ack-batch).
• AGENTS.md now has a current architecture snapshot and an explicit "What WhatTheAgent does not do" scope reminder for new contributors.
• SECURITY.md rewritten with private security advisory link and clearer scope of what counts as a security issue.

Install

npm install -g whattheagent@0.2.0
wta understand . --chat # phone-readable summary
wta understand . --output .wta --open # local HTML report

Full changelog

See CHANGELOG.md for the complete list. The npm artifact is at https://www.npmjs.com/package/whattheagent.

🤖 Generated with Claude Code