Exec Primitive
Any path inside an AI agent's tool surface that reaches a shell call, subprocess spawn, or interpreted-code execution — including paths the operator did not explicitly model as exec.
An Exec Primitive is any path inside an AI agent's tool surface that reaches a shell call, subprocess spawn, or interpreted-code execution — system(), subprocess.Popen, child_process.spawn, Function(), eval, exec(), or any of their language-specific equivalents. The term covers the obvious cases (a tool that wraps bash) and, more importantly, the non-obvious ones: paths the operator did not explicitly model as exec but that nonetheless terminate at an interpreter call.
Non-obvious exec primitives are the principal source of OWASP ASI05 (Unexpected Code Execution) findings in production. The disclosed CVE record from 2025–2026 includes several worked examples: CVE-2025-59528 (Flowise CustomMCP) used Function() over unsanitised input — the operator wrote the integration as a "node configuration" feature without realising the configuration field reached an interpreter. CVE-2026-0755 (gemini-mcp-tool) passed user-supplied content directly to execAsync — the wrapper looked like a thin abstraction over an API call. Each is an exec primitive that the operator did not classify as one until the CVE was filed.
Why Enumeration Matters
The single most under-performed control against ASI05 is exhaustive enumeration of exec primitives in a deployment's full tool surface. Most teams can name the primitives they explicitly built. They cannot name the ones embedded in third-party packages, hidden in framework defaults, or composed across multiple tools that individually look like read or transform operations. Enumeration is the prerequisite for every other control — sandbox effectiveness depends on knowing which paths to wrap; argument validation depends on knowing which paths take user input; composition policy depends on knowing which combinations terminate at exec.
The enumeration process traces every tool's call graph from the agent-facing API down to any path that reaches a shell, spawn, or interpreter call. For each terminal call: what inputs influence the call? Where do those inputs come from? What sandbox or isolation layer wraps the call? What human checkpoint, if any, gates the call?
Defensive Patterns
Once enumerated, every exec primitive needs three layers of defence: a kernel-level sandbox (containers, seccomp, AppArmor/SELinux); strict allowlisting of inputs before the call (exact executable paths, schema-validated arguments, scoped environment-variable inheritance); and, for agent-generated code paths, a human-in-the-loop checkpoint between generation and execution.
For deeper guidance on how to enumerate and harden exec primitives in MCP-based deployments, see the OWASP ASI05 explainer and the MCP Security Audit service description.
Articles Using This Term
Learn more about Exec Primitive in these articles:
Related Terms
Model Context Protocol (MCP)
Open standard defining how AI agents communicate with external tools, databases, and services through a unified interface for LLM-to-infrastructure interaction.
Tool Misuse
The runtime use of an AI agent's tools in unintended, unsafe, or attacker-directed ways — through over-privilege, descriptor ambiguity, or unsafe composition. The class OWASP ASI02 covers.
Configuration-Channel Injection
An attack pattern where adversarial values supplied through a configuration source flow into a privileged operation — such as a process spawn or shell call — without sanitisation.
Agent-Generated Code
Code (Python, JavaScript, shell, SQL) that an AI agent writes during a task and that the runtime can execute, with or without human review. The principal vector for OWASP ASI05 in agents that have not implemented a generation-to-execution review gate.
Need expert guidance on Exec Primitive?
Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.
Get a Quote