Agent-Generated Code
Code (Python, JavaScript, shell, SQL) that an AI agent writes during a task and that the runtime can execute, with or without human review. The principal vector for OWASP ASI05 in agents that have not implemented a generation-to-execution review gate.
Agent-Generated Code is code an AI agent writes during a task and that its runtime can execute. Modern agents routinely generate Python, JavaScript, shell scripts, SQL queries, and arbitrary code in response to prompts — for data analysis, infrastructure tasks, code modification, or as part of multi-step planning. Whether that generated code then runs is a separate decision, made (often implicitly) by the runtime's design.
When the runtime auto-executes generated code without human review, it becomes the principal vector for OWASP ASI05 (Unexpected Code Execution). Every input the agent processes — a document the user shares, a tool output the agent receives, a webpage the agent fetches — is potential influence over what gets generated. Adversarial content in any of these inputs can drive the agent to write code that does what the attacker wants, and the runtime then executes it with the host's full authority.
Why Auto-Execution Is the Failure Point
Code generation by itself is benign — generating Python that prints "hello world" causes no harm. The harm enters when the runtime executes the generated code without an interceding human checkpoint. The classical separation of "code review" and "code execution" that protects developers from their own mistakes is collapsed in agent runtimes that auto-execute. The generated code is the attacker's effective payload, and there is no review step before the payload runs.
The empirical record bears this out. Several 2025–2026 disclosures involved exactly this pattern: an agent processed adversarial input, generated code that exfiltrated credentials or modified workspace files, and the runtime executed the code without surfacing it. The fix in each case was the same: insert a review gate between generation and execution.
Defensive Patterns
The two structural controls that close the agent-generated-code path are: review gates (every code-generation flow must surface the generated code, the inputs that produced it, and the expected effect to the user, with explicit approval required before execution); and sandbox isolation (when generated code does run after approval, it runs in a kernel-level sandbox with restricted credentials, network access, and filesystem reach).
Operationally, the review gate is non-negotiable for any agent that has access to credentials, signing keys, infrastructure, or production systems. The friction it introduces is the security control. Removing the gate to "speed up" agent workflows removes the protection — and the next adversarial input ends up running attacker-chosen code with whatever the agent has access to.
For deeper guidance, see the OWASP ASI05 explainer and the MCP Security Checklist.
Articles Using This Term
Learn more about Agent-Generated Code in these articles:
Related Terms
Model Context Protocol (MCP)
Open standard defining how AI agents communicate with external tools, databases, and services through a unified interface for LLM-to-infrastructure interaction.
AI Agent
Autonomous software system powered by a large language model that can perceive, reason, and execute actions — including signing blockchain transactions — without continuous human oversight.
Exec Primitive
Any path inside an AI agent's tool surface that reaches a shell call, subprocess spawn, or interpreted-code execution — including paths the operator did not explicitly model as exec.
Tool Misuse
The runtime use of an AI agent's tools in unintended, unsafe, or attacker-directed ways — through over-privilege, descriptor ambiguity, or unsafe composition. The class OWASP ASI02 covers.
Need expert guidance on Agent-Generated Code?
Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.
Get a Quote