Critical Flaw Allows Authenticated Users to Hijack AI Agents and Execute System Commands via Bash Tool Manipulation

A critical security flaw has been identified in AI agent systems, enabling authenticated users to manipulate the agent into executing arbitrary system commands through the Bash tool. The vulnerability, discovered by researcher Casco, allows an attacker with valid credentials to craft prompts that coerce the agent into running commands such as `curl` to scan internal networks—specifically targeting `localhost:9999`—and `grep` to search the local filesystem for sensitive configuration files. The flaw grants a direct path to host environment compromise.

The vulnerability goes beyond simple command execution. During exploitation, the agent's raw output exposed internal configuration details, including the variable name holding the ANTHROPIC_API_KEY. This exposure creates a direct pathway for credential exfiltration, enabling attackers to pivot to external AI services and potentially expand their access across interconnected systems. The finding has been validated and marked as "valid" after initial triage, confirming that the attack vector is reproducible and requires only standard authenticated access to the platform.

The implications extend to any organization deploying AI agents with tool-calling capabilities, particularly those integrating Bash tool access. Security teams are urged to review permissions models, implement strict output filtering, enforce command allowlists, and audit API key storage practices. The vulnerability highlights a systemic risk in agentic AI architectures where tool execution boundaries can be subverted through carefully constructed user inputs. Organizations relying on these systems should treat this finding as a priority remediation item given the demonstrated ability to achieve complete host compromise from an authenticated foothold.