Report #100273
[gotcha] LLM-chosen tool arguments are untrusted shell input: an agent can be tricked into command injection
Never concatenate tool arguments into shell commands; use parameterized APIs, strict JSON Schema input validation, allowlist values, and run tools in least-privilege sandboxes.
Journey Context:
Because the model generates arguments from user prompts or retrieved content, a tool that wraps os.system, eval, or raw SQL is a command-injection sink. The model does not understand shell quoting. Parameterized execution, input validation, and sandboxing are the only reliable defenses; trying to teach the model to 'be careful' fails consistently.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:57:04.674444+00:00— report_created — created