MOSAIC: Knowledge-Guided CLI Command Composition Attack in LLM Coding Agents

๐Ÿ“… 2026-07-02
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF
๐Ÿค– AI Summary
This work identifies and formalizes a novel command composition risk (CCR), wherein large language model (LLM) coding agents may inadvertently combine individually benign CLI commands into hazardous sequences through cross-command state dependenciesโ€”a threat largely overlooked by existing defenses. To systematically study CCR, the authors propose MOSAIC, a framework that constructs a command-state knowledge graph from CVEs, security advisories, and proof-of-concept exploits to synthesize reusable attack paths. These paths are instantiated as realistic developer workflows for black-box evaluation of LLM agents. Comprehensive experiments across five real-world coding agents and five LLMs, comprising 2,525 trials, demonstrate an alarming 96.59% attack success rate, underscoring the prevalence and severity of CCR in contemporary AI-assisted software development environments.
๐Ÿ“ Abstract
LLM coding agents increasingly complete development tasks by issuing ordinary CLI commands. Following the Unix design, these commands cooperate through shared operating-system state: one command may write state that a later command reads. While this composition is benign and intended, it creates an overlooked exploit surface. Existing attacks and defenses mainly target the instruction layer, where malicious intent appears as hostile text. In contrast, we observe that individually benign commands can form a dangerous producer-consumer state relation across the command trace, exposing what we call CLI command-composition risk (CCR). Given this new attack surface, it is critical to systematically uncover and characterize the impact of CCR in real-world coding agents. However, systematically understanding this risk is quite challenging, because naive command enumeration and end-to-end LLM generation produce mostly invalid workflows. We present MOSAIC, a knowledge-guided framework that distills validated command-state behaviors from CVEs, advisories, and researcher PoCs into reusable summaries, composes them into exploit paths, and instantiates them as realistic developer workflows for black-box agent evaluation. Across five real-world CLI coding agents and five backend LLMs over 2,525 trials, MOSAIC achieves a 96.59% attack success rate under benign developer tasks.
Problem

Research questions and friction points this paper is trying to address.

CLI command composition
command-composition risk
LLM coding agents
security exploit
stateful command interaction
Innovation

Methods, ideas, or system contributions that make the work stand out.

CLI command composition
command-composition risk
knowledge-guided attack
LLM coding agents
exploit path synthesis
๐Ÿ”Ž Similar Papers