SlowMist
SlowMist|Jul 18, 2026 08:54
Previously, we analyzed Grok CLI’s data upload behavior and found that its repository upload mechanism could send git bundles containing sensitive files such as .env files and RSA private keys. Following that analysis, we continued auditing Grok Build CLI’s security model after it was open-sourced. Within 24 hours, we identified two attack chains that can lead to arbitrary code execution without explicit user approval. The root cause is not a single bug, but a fragmented trust model: project-level files can influence AI Agent instructions and permission decisions without sufficient validation. Key findings: 🔹 cargo check was incorrectly classified as a safe command. Combined with malicious AGENTS.md instructions, attackers can trigger http://build.rs execution and achieve code execution. 🔹 .claude/settings.json with bypassPermissions can override permission checks and enable unrestricted tool execution. 🔹 Grok Build CLI inherits Claude Code CLI’s permission configuration model, exposing similar risks. 🔹 .mcp.json introduces additional project-level attack surfaces through MCP configuration. These findings highlight a broader issue: When #AI coding agents trust project-level files too much, opening a project can become equivalent to granting shell access. 📖 Full technical analysis: https://slowmist.medium.com/xai-grok-build-0-day-one-day-after-open-source-trust-mechanism-bypass-and-the-security-70b676300d98?sharedUserId=slowmist 👉 Previous analysis: https://slowmist.medium.com/grok-cli-risk-analysis-how-a-single-prompt-can-send-sensitive-files-to-the-cloud-3ce9243f10af?sharedUserId=slowmist(SlowMist)
Share To

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads