- A decades-old shell scripting trick, named GuardFall, can bypass the safety checks of most AI coding agents, exposing systems to severe risks.
- Researchers from Adversa AI found the flaw works against ten of eleven popular open-source coding agents tested, with only Continue providing robust defense.
- The vulnerability allows hidden commands to run with full user account access, potentially wiping files or stealing SSH keys and cloud credentials.
- Quick mitigation steps include running agents in isolated directories and disabling auto-execute flags until proper guards are implemented.
Researchers revealed in June 2026 that a simple shell trick can bypass the critical safety guardrails of popular AI coding assistants. The flaw, which exploits how bash interprets commands, was documented by security firm Adversa AI and named GuardFall.
Most agents check commands as plain text, but bash rewrites that text before execution. Consequently, a filter watching for ‘rm’ sees nothing wrong with ‘r”m’, as bash removes the quotes and runs the dangerous command anyway.
The same idea works with commands hidden in base64 or using ordinary tools like find with destructive flags. However, the researchers call this “a dangerous convention and a class of problems,” meaning no single patch can fix it.
For an attack to succeed, the AI must first produce a malicious command hidden within normal-looking work. Meanwhile, the agent must also be running autonomously with auto-execute enabled, a common setup in automated pipelines.
The vulnerability was tested against tools including opencode, Goose, and Cline, which collectively had roughly 548,000 GitHub stars. An end-to-end attack was demonstrated against the production Plandex binary, and the same method worked against eight others, as detailed in Hermes’s own issue tracker.
Only the Continue agent effectively defended itself by parsing commands as the shell would. Its design, which checks what will actually run, held up in its default editor mode against every tested payload.
Adversa recommends several immediate actions to reduce risk. These include running agents with a throwaway home directory and disabling auto-execute flags like –auto-run unless absolutely necessary.
This finding follows other similar security flaws this year. For instance, Adversa’s own TrustFall affected several major coding agents, and a separate deny-rule bypass hit Claude Code.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
