Prompt-to-Shell Execution via Unsafe Command Construction

Root cause

• • The system treats model output as trustworthy command text instead of preserving argument-level provenance and safe command construction.

Exploit path

• • Attacker-controlled content enters prompt context through repo files, tickets, docs, or external content
• • The model converts that content into a command suggestion or parameter
• • The runtime interpolates the output into a shell string or eval helper
• • The command executes with operator or agent authority

What an auditor should check

• • Trace mixed-trust inputs all the way to shell, eval, dynamic imports, notebooks, and package scripts
• • Inspect wrappers for string concatenation, shell=True, bash -lc, template interpolation, and fallback helpers
• • Check whether file paths, URLs, branch names, and destinations preserve trusted provenance

Evidence to collect

• • Code path from prompt assembly to command execution
• • Examples of unsafe shell construction or templating
• • Logs showing operator approval granularity versus actual executed command

Remediation guidance

• • Use structured argument arrays instead of raw shell strings
• • Require sink-time validation for destinations, paths, and side-effectful flags
• • Sandbox dynamic execution and narrow inherited secrets

Agentic DeFi relevance

• • Any agent that shells out to wallet, relayer, simulation, or deployment tooling can convert prompt injection into direct financial or operational impact.

Detailed note