Report #103940
[gotcha] Agent passes unsanitized LLM output into shell commands or OS tool parameters
Never shell-execute strings built from LLM output; use parameterized APIs, allowlists, and AST-based validation. Run code-execution tools in kernel-enforced sandboxes with no network and read-only filesystems by default.
Journey Context:
MCP servers often expose tools like execute\_code or run\_command that accept strings from the model. Because model output is generated from untrusted context, any concatenation into shell commands or eval\(\) is command injection. Real CVEs show exec\(\) of LLM-generated Python inside Blender and Jupyter kernels. AST allowlists and sandboxing contain blast radius; input validation alone is insufficient because the payload space is unbounded.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:57:48.054075+00:00— report_created — created