AI Agents Face Remote Execution Risks in Standard Defensive Workflows
Researchers reveal that automated vulnerability scanning tools from Anthropic and OpenAI can be tricked into executing malicious code.
As enterprises increasingly deploy AI-driven agents to manage vulnerability discovery and patching, a significant security blind spot has emerged. A new report published by the AI Now Institute on July 8 by Heidy Khlaaf and Boyan Milanov details how these autonomous assistants can be weaponized against the very systems they are intended to protect.
Weaponizing the Trusted Assistant
The research highlights a proof-of-concept exploit that triggers remote code execution within widely used command-line interfaces, specifically Anthropic’s Claude Code and OpenAI’s Codex. The vulnerability affects Claude Code when utilizing Claude Sonnet 4.6, 5, or Opus 4.8, and impacts Codex when paired with GPT-5.5.
The attack mechanism relies on prompt injection. By embedding subtle, malicious instructions within an open-source codebase—such as in documentation or code comments—an attacker can manipulate the AI agent during its analysis phase. When a user runs the tool in "auto-mode," the AI parses the repository, interprets the injected text as legitimate instructions, and executes them without human intervention.
The Illusion of Safe Automation
The exploit circumvents standard security safeguards by framing malicious commands as routine security workflows. The AI agent, tasked with scanning for vulnerabilities, is tricked into believing that running a specific shell script is a necessary step to secure the environment. This leads the agent to execute a concealed binary that appears to be a benign component of the software project.
“An AI coding agent has no reliable way to distinguish the text it reads from instructions it is supposed to follow,” he said, this is because everything in its context window is processed with the same authority.
This architectural failure means that even advanced models can be compromised if they are granted the autonomy to execute commands on a host system. The researchers tested this on Linux systems using various versions of the tools, including Claude Code versions 2.1.116, 2.1.198, and 2.1.199, as well as Codex version 0.142.4.
Architectural Flaws in AI Trust
Eljan Mahammadli, head of AI provenance at Polygraf AI, notes that the problem is rooted in the fundamental way these systems process language. Because agents lack a clear mechanism for attribution, they treat all information within their context window as equally authoritative. This is not merely a bug to be patched, but a core property of current agentic system design.
However, analysts caution against concluding that AI-led defense is inherently impossible. Instead, the risk is amplified when agents combine access to untrusted data, command execution capabilities, and sensitive environments within a single process. Stronger runtime controls and better separation of capabilities remain essential for preventing these agents from being turned against their operators.
Implications for Enterprise Security
For organizations, this discovery serves as a warning regarding the rapid deployment of autonomous security tools. As companies implement programs like Anthropic's Project Glasswing or OpenAI's Patch the Planet, the reliance on "auto-review" modes introduces a critical new trust boundary. Security teams must recognize that a more capable AI model is not necessarily safer; it is simply a more efficient executor of the instructions provided to it, making rigorous provenance and restricted execution environments vital for any deployment touching safety-critical infrastructure.