fix(exec): prevent PATH injection in docker sandbox

src/agents/bash-tools.shared.ts

@@ -60,11 +60,18 @@ export function buildDockerExecArgs(params: {
   for (const [key, value] of Object.entries(params.env)) {
     args.push("-e", `${key}=${value}`);
   }
+  const hasCustomPath = typeof params.env.PATH === "string" && params.env.PATH.length > 0;
+  if (hasCustomPath) {
+    // Avoid interpolating PATH into the shell command; pass it via env instead.
+    args.push("-e", `CLAWDBOT_PREPEND_PATH=${params.env.PATH}`);
+  }
   // Login shell (-l) sources /etc/profile which resets PATH to a minimal set,
   // overriding both Docker ENV and -e PATH=... environment variables.
   // Prepend custom PATH after profile sourcing to ensure custom tools are accessible
   // while preserving system paths that /etc/profile may have added.
-  const pathExport = params.env.PATH ? `export PATH="${params.env.PATH}:$PATH"; ` : "";
+  const pathExport = hasCustomPath
+    ? 'export PATH="${CLAWDBOT_PREPEND_PATH}:$PATH"; unset CLAWDBOT_PREPEND_PATH; '
+    : "";
   args.push(params.containerName, "sh", "-lc", `${pathExport}${params.command}`);
   return args;
 }