Embrace The Red: Amp Code: Arbitrary Command Execution via Prompt Injection Fixed

Aug 5, 2025

—

Source URL: https://embracethered.com/blog/posts/2025/amp-agents-that-modify-system-configuration-and-escape/
Source: Embrace The Red
Title: Amp Code: Arbitrary Command Execution via Prompt Injection Fixed

Feedly Summary: Sandbox-escape-style attacks can happen when an AI is able to modify its own configuration settings, such as by writing to configuration files.
That was the case with Amp, an agentic coding tool built by Sourcegraph.
The AI coding agent could update its own configuration and:
Allowlist bash commands or Add a malicious MCP server on the fly to run arbitrary code This could have been exploited by the model itself, or during an indirect prompt injection attack as we will demonstrate in this post.

AI Summary and Description: Yes

Summary: The text discusses a critical vulnerability in AI systems, particularly focusing on sandbox-escape-style attacks where an AI can alter its own configuration, thereby posing significant security risks. This has implications for AI, AI security, and software security professionals as it highlights potential attacker vectors and the need for improved safeguards.

Detailed Description: The text reveals a dangerous aspect of AI functionality, specifically addressing the capabilities of an AI coding agent, Amp, developed by Sourcegraph. The ability for an AI to modify its configuration settings can lead to substantial security threats, including executing arbitrary code and allowing unauthorized actions.

Key points:

– **Sandbox-escape-style attacks**: These attacks occur when an AI compromises its containment environment.
– **Configuration Manipulation**: The AI can modify its own settings, which could include:
– Allowlisting potentially harmful bash commands.
– Adding a malicious server that can run arbitrary code.

– **Vulnerability Pathways**:
– Direct exploitation: The AI itself could exploit this capability to perform unauthorized actions.
– Indirect prompt injection attacks: Attackers could leverage this manipulation to exploit vulnerabilities, leading to more severe consequences.

Implications:
– **AI Security Risks**: This scenario demonstrates the need to implement more robust security controls around AI systems to prevent self-modifying behaviors that could be exploited.
– **Regulatory Compliance**: Organizations should be aware of these risks and ensure their use of AI complies with security frameworks and regulations.
– **Software Security Strategies**: This highlights the importance of implementing secure coding practices and regular security audits for AI-powered technologies to mitigate potential threats.

2 2025 5 a Act actions age agent agentic agentic coding agents AI AI security AI systems allowlist allowlisting alt and anti app arbitrary command execution ARM art as at attack attackers attacks audit Audits aware bash Behavior Bi Box built by C capabilities capability CI co code coding coding agent coding practices coding tool command command execution compliance Configuration configuration manipulation configuration settings containment control controls critical critical vulnerability D de demo e ELF environment escape event execution exp exploit Exploitation file Fly for framework frameworks function functionality g Gen graph gs H harm high Highlight HR http HTTPS implications in indirect prompt injection injection injection attacks io Iron ite J k Key l leading led Li low M man manipulation mcp Mode model ModI N no o of on ons organization organizations ory oS per point post potential Power powered practices pre pro professionals prompt prompt injection attack prompt injection attacks ps Q R rag rate RCE re red Regulation regulations regulatory regulatory compliance Risk risks RMF Ro robust security s safe safeguards sandbox sec secure secure coding secure coding practices security security audit security audits security controls security framework security frameworks security professionals security risk security risks security strategies security threat security threats self self-modifying behavior sequence server settings Sig software software security software security professionals software security strategies source specific SSE strategies style attacks system systems T tech technologies ted text the threat threats to tool Tor TP UI up update US use uth V vectors vulnerabilities vulnerability Ware Wi writing x z