๐ค AI Summary
This work identifies and formalizes a novel command composition risk (CCR), wherein large language model (LLM) coding agents may inadvertently combine individually benign CLI commands into hazardous sequences through cross-command state dependenciesโa threat largely overlooked by existing defenses. To systematically study CCR, the authors propose MOSAIC, a framework that constructs a command-state knowledge graph from CVEs, security advisories, and proof-of-concept exploits to synthesize reusable attack paths. These paths are instantiated as realistic developer workflows for black-box evaluation of LLM agents. Comprehensive experiments across five real-world coding agents and five LLMs, comprising 2,525 trials, demonstrate an alarming 96.59% attack success rate, underscoring the prevalence and severity of CCR in contemporary AI-assisted software development environments.
๐ Abstract
LLM coding agents increasingly complete development tasks by issuing ordinary CLI commands. Following the Unix design, these commands cooperate through shared operating-system state: one command may write state that a later command reads. While this composition is benign and intended, it creates an overlooked exploit surface. Existing attacks and defenses mainly target the instruction layer, where malicious intent appears as hostile text. In contrast, we observe that individually benign commands can form a dangerous producer-consumer state relation across the command trace, exposing what we call CLI command-composition risk (CCR).
Given this new attack surface, it is critical to systematically uncover and characterize the impact of CCR in real-world coding agents. However, systematically understanding this risk is quite challenging, because naive command enumeration and end-to-end LLM generation produce mostly invalid workflows. We present MOSAIC, a knowledge-guided framework that distills validated command-state behaviors from CVEs, advisories, and researcher PoCs into reusable summaries, composes them into exploit paths, and instantiates them as realistic developer workflows for black-box agent evaluation. Across five real-world CLI coding agents and five backend LLMs over 2,525 trials, MOSAIC achieves a 96.59% attack success rate under benign developer tasks.