Argument Injection
A failure mode where attacker influence shapes the parameters, referenced artifacts, or execution context of a trusted command or action wrapper.
Argument Injection is the pattern where an AI system appears to call a trusted command, tool, or action wrapper, but the dangerous meaning still lives in attacker-influenced parameters or supporting state. The attacker does not need to replace the entire command. They only need to shape arguments, file paths, environment variables, referenced scripts, config files, destinations, or other execution-context fields that determine the real side effect.
This matters because many AI-agent control models still focus on the wrong boundary. They ask whether the model can execute a “dangerous command” or whether a human approved a broad action such as “run tests,” “open a PR,” or “prepare a trade.” That is too shallow. In practice, the security impact often depends on the exact parameters, supporting artifacts, and prior state surrounding that action. A coding agent may run a familiar binary while loading attacker-written files. A long-lived agent may reuse a remembered command template whose arguments were shaped by mixed-trust input. An Agentic DeFi workflow may invoke a trusted action label like “rebalance” while still leaving route, spender, amount, or recipient under model control.
For auditors, Argument Injection is useful because it turns vague prompt-injection discussion into a concrete execution review question: which parts of the final action remain under model or attacker influence after approval, routing, or policy classification? That drives better evidence collection. You should inspect exact argv, working directory, environment delta, referenced file hashes, config writes, and the sink-time policy that validates the final artifact. You should also test whether approvals bind to those details or only to a high-level label.
The term is closely related to Prompt-to-Sink, because argument injection is usually one stage inside a larger end-to-end exploit path. It also connects to Approval Bypass, since a human or policy may approve a trusted verb while the dangerous parameters remain hidden, and to Sink-Time Validation, which is the most reliable place to stop this class before execution. For a practical audit-focused treatment, see Approved Commands Still Reach RCE in Coding Agents.
Related Terms
Prompt-to-Sink
The end-to-end path from attacker-influenced prompt or context input to the final execution sink where the AI system can cause a real side effect.
Approval Bypass
A failure mode where a human approval step exists but does not constrain the exact parameters that determine the real security impact of an AI agent action.
Sink-Time Validation
Independent validation at the execution sink on the exact action, destination, and parameters an AI system is about to trigger.
Tool Misuse
The runtime use of an AI agent's tools in unintended, unsafe, or attacker-directed ways — through over-privilege, descriptor ambiguity, or unsafe composition. The class OWASP ASI02 covers.
Need expert guidance on Argument Injection?
Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.
Get a Quote