Expected Findings
- Function schema accepts free-form `where` clauses.
- Backend interpolates the `where` string into raw SQL.
- `cmd` argument on the `runner` tool is passed straight to `exec`.
Function Calling
Function-Calling Arg Poison
The function-calling schema lets the model emit `where` and `cmd` strings that backend code interpolates straight into SQL or shell, so prompt injection becomes RCE.
CWE-94CWE-77
Function call probe
Primary Flows
- Function call POST a query and watch SQL emerge
- Function schema Shows untyped string args
Signals
Schema
{"name":"sql.query","parameters":{"where":{"type":"string"}}}
Backend
db.exec("SELECT * FROM users WHERE " + args.where)