Now in early access, book a 30-minute demo →
Threat surface

Code Execution Paths

Agentic environments are dense with ways to run code - shell tools, MCP processes, skill and hook scripts, and config files that execute on their own. Each is an execution primitive an attacker can reach with text.

Influenced inputweb, repo, tool output Tool-call hookallow / deny / log AI agentdecides what to run Shell toolterminal commands MCP stdio processserver launch Scripts + autorunskills, hooks, config Endpoint authoritysecrets, code, network text steers deny before run runs command spawns process triggers script executes executes
One input, many exits: attacker-influenced text reaches the agent, which fans out to every execution path on the endpoint.

An agentic environment is unusually dense with ways to run code. The agent has a shell tool, spawns MCP servers as local processes, loads skills that bundle scripts and hooks that fire on events, opens projects whose config files run tasks, and performs git actions that invoke hooks. Each is an execution primitive: a path from some input to code running with the developer's full privileges.

What makes the surface dangerous is their number and their triggers. A traditional application runs external code in a few audited places; an agentic endpoint has many, several of which fire without a human ever clicking run, and every one is reachable by text the agent read somewhere. Combined with prompt injection, the count of execution paths is the count of ways an attacker's words become an attacker's code.

Why this surface exists

The primitives exist because agents are built to act, not just answer. A coding agent that cannot run a build or a test is barely useful, so shell access is table stakes. MCP extends that reach: a server is not data the agent reads but a program it launches, and over the stdio transport the launch is the execution. Skills can carry executable scripts, and a hook is code wired to an event.

The human approval gate was supposed to contain this, and it erodes two ways. Vendors ship convenience modes - auto-run, yolo mode, auto-approve allowlists - that skip the prompt entirely; a yolo-mode flaw in Copilot for VS Code (CVE-2025-53773) turned that opt-in into remote code execution. And where prompts remain, approval fatigue sets in: an agent that asks to run a command dozens of times an hour trains its operator to click approve without reading. A gate a human rubber-stamps is not a gate.

Attack scenarios

Execution path, trigger, incident class

Execution pathWhat triggers itIncident class
Shell / terminal toolAgent decides a command is neededSilent or over-approved command execution
Auto-run / yolo modeA convenience setting skips the promptUnattended remote code execution
MCP stdio serverEnabling or launching the serverRun-on-install code execution
Skill / hook scriptTask match or lifecycle eventInstruction-supply-chain execution
Project config fileOpening or trusting a workspaceRun-on-open RCE and token theft
Git hookClone, commit, or checkoutRun-on-git-action RCE

Mitigations

  1. Enumerate the execution paths you have. You cannot govern primitives you have not counted. Inventory which agents carry shell tools, which run in auto-approve modes, which MCP servers are enabled, and which skills and hooks are installed across the fleet.
  2. Default the human gate on, and keep it meaningful. Disable auto-run and blanket allowlists where they are not justified, and scope exceptions narrowly. An approval that fires rarely and specifically survives a busy engineer; one that fires constantly does not.
  3. Enforce at the tool-call boundary. The common choke point for shell, MCP, and script execution is the tool call. A hook that evaluates each call against policy before it runs converts an unapproved execution into a logged, denied attempt.
  4. Treat config and hooks as code. Files, task definitions, and git hooks that execute on open or on git actions deserve the same review and change-tracking as any other executable.
  5. Keep the trail. Execution is where injection turns into impact. Retain a queryable record of what ran and what triggered it, long enough to investigate.

How Anomity helps

Anomity's lightweight, unprivileged Endpoint Sensor discovers the artifacts that carry these execution paths - AI agents, MCP servers, extensions, plugins, skills, hooks, and CLIs - and records each one's source, owner, version, and reach, so the ways code can run on a fleet become enumerable instead of assumed. On agents that expose a hook, such as Claude Code's PreToolUse, it evaluates each tool call and returns allow, deny, or log before the command, process, or script runs. A newly enabled auto-run mode or a freshly installed server surfaces as a change event, violations route to SIEM, Slack, email, and Jira, and every decision lands in a queryable 90-day audit trail.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok