Expected Findings
- User input is concatenated into the agent's system prompt with no isolation.
- Agent exposes shell, fetch, and fs tools with no allowlist.
- Tool output is echoed back to the chat window verbatim.
AI Agent
Agent Tool Abuse
A chat agent built with shell, fetch, and fs tools concatenates the user message into the system prompt, so any user can drive its tools.
Support agent
Primary Flows
- Chat endpoint POST {message} to drive any tool
- Tool registry Lists shell, fetch, fs
Signals
Prompt
prompt = SYSTEM + "\nuser said: " + req.message
Tool Call
if (msg.toLowerCase().includes("shell")) runShell(extractCmd(msg))