Problem (one or two sentences)
I noticed if I have a queued message, and the LLM happens to generate command, even if it is a command that normally asks for approval and waits, it just runs it! This is surely a bug, because if I do not have queued message, but send a message normally as a reply to a request to approve a command, but without pressing approve, just the send button, the command gets rejected. Naturally, sending queued message also should reject any command that is not explicitly in auto-approve list or if I have Execute auto-approve disabled!
Context (who is affected and when)
This is obviously very dangerous - it can run npm / yarn packages that I prefer to run in separate user account for security (against supply chain attacks), it can also run arbitrary python script, delete files, run a chain of commands like "git add -A" followed by git commit adding lots of untracked files, etc. I was very careful to only enable auto approval for commands I actually want, so it absolutely should not run one that I did not explicitly approved just because there were queued message!
I already got burned by this quite a few times, every single time LLM comes up with a command when I have a message queued, it is something I did not expect or did not want to run at all.
Reproduction steps
- Make the LLM do some work, and send a queued message
- If LLM decides to request a command to run, and there is a queued message, the queued message gets sent and approves the arbitrary command even if it was not explicitly in auto-approved list and normally would ask for approval, while expected behavior in such a case is to auto-refuse (since this is what happens if I send a message in response normally without pressing Approve - the unapproved command gets refused).
Expected result
If I had queued message, it gets sent and unapproved commands gets refused - only exception if the command was explicitly in my auto-approve list and Execute autoapproval was enabled
Actual result
The command that normally would request approval without queued message, gets unexpectedly executed, possibly wrecking havoc
Variations tried (optional)
No response
App Version
Latest git
API Provider (optional)
OpenAI Compatible
Model Used (optional)
Kimi K2.6
Roo Code Task Links (optional)
No response
Relevant logs or errors (optional)
Problem (one or two sentences)
I noticed if I have a queued message, and the LLM happens to generate command, even if it is a command that normally asks for approval and waits, it just runs it! This is surely a bug, because if I do not have queued message, but send a message normally as a reply to a request to approve a command, but without pressing approve, just the send button, the command gets rejected. Naturally, sending queued message also should reject any command that is not explicitly in auto-approve list or if I have Execute auto-approve disabled!
Context (who is affected and when)
This is obviously very dangerous - it can run npm / yarn packages that I prefer to run in separate user account for security (against supply chain attacks), it can also run arbitrary python script, delete files, run a chain of commands like "git add -A" followed by git commit adding lots of untracked files, etc. I was very careful to only enable auto approval for commands I actually want, so it absolutely should not run one that I did not explicitly approved just because there were queued message!
I already got burned by this quite a few times, every single time LLM comes up with a command when I have a message queued, it is something I did not expect or did not want to run at all.
Reproduction steps
Expected result
If I had queued message, it gets sent and unapproved commands gets refused - only exception if the command was explicitly in my auto-approve list and Execute autoapproval was enabled
Actual result
The command that normally would request approval without queued message, gets unexpectedly executed, possibly wrecking havoc
Variations tried (optional)
No response
App Version
Latest git
API Provider (optional)
OpenAI Compatible
Model Used (optional)
Kimi K2.6
Roo Code Task Links (optional)
No response
Relevant logs or errors (optional)