Rachel's Self-Review Report
Automated comprehensive code review of the entire KernelBot codebase — 75+ source files analyzed across bin/, src/, scripts/, and skills/.
CRITICAL Security Issues
| # |
File |
Line(s) |
Issue |
| 1 |
src/tools/os.js |
143 |
Blocked-path check bypass — substring search on raw command string is trivially circumvented via &&, pipes, quoting, or subshells |
| 2 |
src/tools/docker.js |
98 |
Command injection — docker compose action parameter is unsanitized; e.g. up -d; rm -rf / |
| 3 |
src/tools/jira.js |
189, 218 |
JQL injection — assignee and project_key interpolated directly into JQL queries |
| 4 |
src/tools/git.js |
22-28 |
Credential leak — GitHub token embedded in plain-text remote URL, visible in git remote -v, error messages, process listings |
| 5 |
src/dashboard/server.js |
434-440 |
No authentication on dashboard — exposes full system internals (jobs, memories, config) with Access-Control-Allow-Origin: * |
HIGH-Priority Bugs
| # |
File |
Line(s) |
Issue |
| 1 |
src/providers/anthropic.js |
26 |
max_tokens stop reason incorrectly mapped to tool_use — causes phantom tool-call processing |
| 2 |
src/providers/openai-compat.js |
105 |
choices[0] accessed without null guard — crashes on empty API responses |
| 3 |
src/life/evolution.js |
28-41 |
DEFAULT_DATA.stats reference mutation — shallow spread poisons the module-level default across calls |
| 4 |
src/life/engine.js |
309-315 |
Auto-recovery delete never persists — suppressed activities stay suppressed across restarts |
| 5 |
src/life/metacognition.js |
214 |
Infinity value written to JSON produces null, corrupting stored summaries |
| 6 |
src/services/x-api.js |
30-34 |
OAuth signing excludes query params — all GET requests with params likely fail authentication |
| 7 |
src/automation/scheduler.js |
119-131 |
Cron step of 0 (e.g. */0) causes infinite loop, hanging the process |
| 8 |
src/tools/orchestrator-tools.js |
776 |
Cross-chat history access — any chat_id can be supplied to read another user's conversations |
| 9 |
src/bot.js |
395-396 |
data.split(':') truncates model IDs containing colons (common in provider-prefixed model names) |
HIGH-Priority Security Concerns
| # |
File |
Line(s) |
Issue |
| 1 |
src/tools/network.js |
49, 61-85 |
No SSRF protection — curl_url and check_port can probe internal networks and cloud metadata (169.254.169.254) |
| 2 |
src/tools/browser.js |
667-673 |
evaluate script blocklist easily bypassed via bracket notation (window['location'], globalThis['fetch']) |
| 3 |
src/tools/coding.js |
51 |
working_directory not validated against blocked paths |
| 4 |
src/tools/git.js |
113-114 |
Path traversal in dest parameter — ../../etc escapes workspace |
| 5 |
src/tools/monitor.js |
80 |
system_logs can read arbitrary files with no blocked-path check |
| 6 |
src/life/codebase.js |
14-17 |
SKIP_PATTERNS omits .env.* variants — .env.local, .env.production contents sent to LLM |
Reliability & Data Integrity
- All life-engine files use synchronous
writeFileSync with no atomic writes (write-to-temp-then-rename). A crash mid-write corrupts the file, and the try/catch → return default pattern silently loses all data.
- UTC vs local time inconsistency across
date.js (getStartOfDayMs = local, todayDateStr = UTC), journal.js (header = local, filename = UTC), scheduler.js (all cron evaluation in local time).
- No rate limiting on background LLM calls —
_extractPersonaBackground and _reflectOnSelfBackground fire after every message, potentially exhausting API rate limits under rapid messaging.
Code Quality Improvements
config.js lines 241-348: changeOrchestratorModel and changeBrainModel are 90% duplicated — extract shared helperagent.js line 108: _getSystemPrompt has 8+ positional parameters — refactor to options objectidle-reflection.js lines 23-24: Hardcoded /root/ paths break for non-root users and are inconsistent (/root/.kernelbot/ vs /root/kernelbot/)display.js line 125: Label says "Style" but reads from character.age — copy-paste error
Recommended Priority
- Immediate — Fix command injection in
os.js, docker.js, jira.js; add dashboard auth
- High — Fix
anthropic.js stop-reason mapping, evolution.js default mutation, scheduler.js infinite loop
- Medium — Add SSRF protection, atomic file writes, fix timezone inconsistencies
- Low — Code deduplication, refactoring long parameter lists
Generated by Rachel's automated self-review — Feb 27, 2026
Rachel's Self-Review Report
Automated comprehensive code review of the entire KernelBot codebase — 75+ source files analyzed across
bin/,src/,scripts/, andskills/.CRITICAL Security Issues
src/tools/os.js&&, pipes, quoting, or subshellssrc/tools/docker.jsdocker composeaction parameter is unsanitized; e.g.up -d; rm -rf /src/tools/jira.jsassigneeandproject_keyinterpolated directly into JQL queriessrc/tools/git.jsgit remote -v, error messages, process listingssrc/dashboard/server.jsAccess-Control-Allow-Origin: *HIGH-Priority Bugs
src/providers/anthropic.jsmax_tokensstop reason incorrectly mapped totool_use— causes phantom tool-call processingsrc/providers/openai-compat.jschoices[0]accessed without null guard — crashes on empty API responsessrc/life/evolution.jsDEFAULT_DATA.statsreference mutation — shallow spread poisons the module-level default across callssrc/life/engine.jsdeletenever persists — suppressed activities stay suppressed across restartssrc/life/metacognition.jsInfinityvalue written to JSON producesnull, corrupting stored summariessrc/services/x-api.jssrc/automation/scheduler.js0(e.g.*/0) causes infinite loop, hanging the processsrc/tools/orchestrator-tools.jschat_idcan be supplied to read another user's conversationssrc/bot.jsdata.split(':')truncates model IDs containing colons (common in provider-prefixed model names)HIGH-Priority Security Concerns
src/tools/network.jscurl_urlandcheck_portcan probe internal networks and cloud metadata (169.254.169.254)src/tools/browser.jsevaluatescript blocklist easily bypassed via bracket notation (window['location'],globalThis['fetch'])src/tools/coding.jsworking_directorynot validated against blocked pathssrc/tools/git.jsdestparameter —../../etcescapes workspacesrc/tools/monitor.jssystem_logscan read arbitrary files with no blocked-path checksrc/life/codebase.jsSKIP_PATTERNSomits.env.*variants —.env.local,.env.productioncontents sent to LLMReliability & Data Integrity
writeFileSyncwith no atomic writes (write-to-temp-then-rename). A crash mid-write corrupts the file, and thetry/catch → return defaultpattern silently loses all data.date.js(getStartOfDayMs= local,todayDateStr= UTC),journal.js(header = local, filename = UTC),scheduler.js(all cron evaluation in local time)._extractPersonaBackgroundand_reflectOnSelfBackgroundfire after every message, potentially exhausting API rate limits under rapid messaging.Code Quality Improvements
config.jslines 241-348:changeOrchestratorModelandchangeBrainModelare 90% duplicated — extract shared helperagent.jsline 108:_getSystemPrompthas 8+ positional parameters — refactor to options objectidle-reflection.jslines 23-24: Hardcoded/root/paths break for non-root users and are inconsistent (/root/.kernelbot/vs/root/kernelbot/)display.jsline 125: Label says "Style" but reads fromcharacter.age— copy-paste errorRecommended Priority
os.js,docker.js,jira.js; add dashboard authanthropic.jsstop-reason mapping,evolution.jsdefault mutation,scheduler.jsinfinite loopGenerated by Rachel's automated self-review — Feb 27, 2026