An agentic environment is unusually dense with ways to run code. The agent has a shell tool, spawns MCP servers as local processes, loads skills that bundle scripts and hooks that fire on events, opens projects whose config files run tasks, and performs git actions that invoke hooks. Each is an execution primitive: a path from some input to code running with the developer's full privileges.
What makes the surface dangerous is their number and their triggers. A traditional application runs external code in a few audited places; an agentic endpoint has many, several of which fire without a human ever clicking run, and every one is reachable by text the agent read somewhere. Combined with prompt injection, the count of execution paths is the count of ways an attacker's words become an attacker's code.
Why this surface exists
The primitives exist because agents are built to act, not just answer. A coding agent that cannot run a build or a test is barely useful, so shell access is table stakes. MCP extends that reach: a server is not data the agent reads but a program it launches, and over the stdio transport the launch is the execution. Skills can carry executable scripts, and a hook is code wired to an event.
The human approval gate was supposed to contain this, and it erodes two ways. Vendors ship convenience modes - auto-run, yolo mode, auto-approve allowlists - that skip the prompt entirely; a yolo-mode flaw in Copilot for VS Code (CVE-2025-53773) turned that opt-in into remote code execution. And where prompts remain, approval fatigue sets in: an agent that asks to run a command dozens of times an hour trains its operator to click approve without reading. A gate a human rubber-stamps is not a gate.
Attack scenarios
- Silent shell execution. A crafted context or configuration causes the agent to run shell commands the operator never sees or approves, as documented in the Gemini CLI silent-execution finding.
- Config that runs on open. Project-scoped config files execute when the agent opens or trusts a workspace. A malicious Claude Code project file (CVE-2025-59536) could run code and exfiltrate tokens the moment a repository was trusted, with nothing typed or approved.
- Git hooks as a trigger. A hook planted in a cloned repository fires on a routine commit or checkout and reaches host execution, as in the Cursor git-hooks sandbox escape (CVE-2026-26268).
- Run-on-install MCP server. Adding a popular-looking MCP server runs its code on first launch; stdio transport makes the decision to enable the decision to execute.
Execution path, trigger, incident class
| Execution path | What triggers it | Incident class |
|---|---|---|
| Shell / terminal tool | Agent decides a command is needed | Silent or over-approved command execution |
| Auto-run / yolo mode | A convenience setting skips the prompt | Unattended remote code execution |
| MCP stdio server | Enabling or launching the server | Run-on-install code execution |
| Skill / hook script | Task match or lifecycle event | Instruction-supply-chain execution |
| Project config file | Opening or trusting a workspace | Run-on-open RCE and token theft |
| Git hook | Clone, commit, or checkout | Run-on-git-action RCE |
Mitigations
- Enumerate the execution paths you have. You cannot govern primitives you have not counted. Inventory which agents carry shell tools, which run in auto-approve modes, which MCP servers are enabled, and which skills and hooks are installed across the fleet.
- Default the human gate on, and keep it meaningful. Disable auto-run and blanket allowlists where they are not justified, and scope exceptions narrowly. An approval that fires rarely and specifically survives a busy engineer; one that fires constantly does not.
- Enforce at the tool-call boundary. The common choke point for shell, MCP, and script execution is the tool call. A hook that evaluates each call against policy before it runs converts an unapproved execution into a logged, denied attempt.
- Treat config and hooks as code. Files, task definitions, and git hooks that execute on open or on git actions deserve the same review and change-tracking as any other executable.
- Keep the trail. Execution is where injection turns into impact. Retain a queryable record of what ran and what triggered it, long enough to investigate.
How Anomity helps
Anomity's lightweight, unprivileged Endpoint Sensor discovers the artifacts that carry these execution paths - AI agents, MCP servers, extensions, plugins, skills, hooks, and CLIs - and records each one's source, owner, version, and reach, so the ways code can run on a fleet become enumerable instead of assumed. On agents that expose a hook, such as Claude Code's PreToolUse, it evaluates each tool call and returns allow, deny, or log before the command, process, or script runs. A newly enabled auto-run mode or a freshly installed server surfaces as a change event, violations route to SIEM, Slack, email, and Jira, and every decision lands in a queryable 90-day audit trail.




