RTK filters and compresses command outputs before they reach the LLM context. Prior to version 0.32.0, RTK (Rust Token Killer) incorrectly trusts project‑local configuration files, automatically loading .rtk/filters.toml from the working directory with the highest priority and without alerting users. This behavior constitutes a trust of user‑supplied configuration, a weakness that falls under CWE‑426 (Untrusted Search Path) and also results in information tampering consistent with CWE‑345 (Information Exposure Through Output). An attacker can place a malicious .rtk/filters.toml file in a repository to apply regex‑based transformations such as strip_lines_matching to shell command output before it is displayed to the LLM, with no indication that the output has been modified. This silent tampering allows attackers to suppress or alter command output—including file contents, diffs, and security scan results—without detection, potentially hiding malicious code from AI‑assisted code review. The issue is resolved in RTK 0.32.0.

The defect affects the rtk‑ai:rtk product, especially versions older than 0.32.0. Users of RTK running any previous release are impacted until they upgrade to the fixed version.

The CVSS score of 6.9 indicates moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires placing a crafted .rtk/filters.toml in a working directory that RTK processes, which is typically a developer’s local repository. Based on the description, it is inferred that the attack vector is local, and because the tool applies the filter silently, the consequences include undetected tampering of data that feeds an LLM, leading to potential security reviews skipping malicious code.