OWASP ASI05: Unexpected Code Execution

Agentic systems including popular vibe coding tools generate and execute code at runtime. Because the code is produced on the fly, traditional security controls miss it. ASI05 extends LLM01:2025 Prompt Injection and LLM05:2025 Improper Output Handling into multi-tool chains and in-memory execution primitives that lead to host compromise.

Common ASI05 patterns include:

• Prompt injection to code execution: Reflected prompts contain shell commands the agent runs.
• Code hallucination with backdoors: Agents emit code that looks legitimate but hides malicious logic.
• Unsafe deserialization: Generated serialized objects trigger code execution on the consumer.
• Multi-tool chain exploitation: A sequence of legitimate tools achieves RCE that no single tool would.
• Exposed eval primitives: Memory tools or template engines accept attacker-controlled input.

The Replit vibe-coding runaway that deleted production data, the Amazon Q DNS-exfiltration injection, and the GitHub Copilot RCE all fit the ASI05 pattern. Containment combines hardened sandboxes, eval bans, output inspection, package allowlists, and human approval for elevated runs.

How PointGuard AI Helps

PointGuard's Agent Governance Mesh runs agents in hypervisor-grade sandboxes with ring isolation and resource limits, while Intelligent Guardrails inspect agent output for shell payloads, unsafe deserialization, and prompt-injection markers before any code executes.

Learn More

OWASP Top 10 for Agentic Applications

Microsoft Security Blog: When Prompts Become Shells

NIST AI 100-2 Adversarial ML Taxonomy