Skip to content

command-approval-patterns allow piping to totally different command #4812

New issue
New issue
Open
Bug
Open
command-approval-patterns allow piping to totally different command#4812
Bug
@sanderma

Description

@sanderma
sanderma
opened on Jan 6, 2026

Plugin Type

VSCode Extension

App Version

4.141.2 (3ae05ef)

Description

When adding an allowed command, Kilocode can run totally different (even denied commands) by appending it to the command. For example, given this configuration:

{
	"execute": {
		"enabled": true,
		"allowed": [
			"npm", // Allows all npm commands
			"git status", // Allows all git status commands
			"ls -la" // Only allows exactly "ls -la"
		],
		"denied": [
			"git push --force" // Denies this specific command even if "git" is allowed
		]
	}
}

It is possible that Kilocode runs git status; rm -rf /tmp as it begins with git status

Reproduction steps

Ask Kilocode to run that command.

Provider

OpenAI Compatible

Model

gpt-oss

System Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    Kilo Code Roadmap

    Status

    Intake

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions