Report #101655
[gotcha] Popular MCP servers commonly construct shell commands from LLM output, enabling command injection
Do not pass LLM-generated parameters directly to os.system, subprocess, or shell templates. Use parameterized APIs, avoid shell interpretation entirely, and validate arguments against strict JSON schemas before execution. Run MCP servers that execute code inside sandboxed processes with minimal filesystem and network access.
Journey Context:
Despite MCP being a modern protocol, many servers repeat classic web-era mistakes: they interpolate user-controlled strings into shell commands. Equixly's March 2025 audit found 43% of popular MCP servers contained command injection flaws. The attacker surface is larger than a normal API because the LLM can be tricked by prompt injection into emitting malicious parameters that the server then executes. A tool that 'sends a notification' can become a remote-code-execution channel. Parameterized APIs and sandboxing are the right call because they remove shell interpretation from the loop and limit blast radius when the LLM is manipulated.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:13:26.377002+00:00— report_created — created