tool 2025

"Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors

Yue Liu 1, Yanjie Zhao 2, Yunbo Lyu 1, Ting Zhang 3, Haoyu Wang 2, David Lo 1

1 Singapore Management University

2 Huazhong University of Science and Technology

3 Monash University

1 citations · 45 references · arXiv
α

Published on arXiv

2509.22040

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Indirect prompt injection via poisoned external development resources achieves up to 84% attack success rate for executing malicious commands on GitHub Copilot and Cursor.

AIShellJack

Novel technique introduced

Agentic AI coding editors driven by large language models have recently become more popular due to their ability to improve developer productivity during software development. Modern editors such as Cursor are designed not just for code completion, but also with more system privileges for complex coding tasks (e.g., run commands in the terminal, access development environments, and interact with external systems). While this brings us closer to the "fully automated programming" dream, it also raises new security concerns. In this study, we present the first empirical analysis of prompt injection attacks targeting these high-privilege agentic AI coding editors. We show how attackers can remotely exploit these systems by poisoning external development resources with malicious instructions, effectively hijacking AI agents to run malicious commands, turning "your AI" into "attacker's shell". To perform this analysis, we implement AIShellJack, an automated testing framework for assessing prompt injection vulnerabilities in agentic AI coding editors. AIShellJack contains 314 unique attack payloads that cover 70 techniques from the MITRE ATT&CK framework. Using AIShellJack, we conduct a large-scale evaluation on GitHub Copilot and Cursor, and our evaluation results show that attack success rates can reach as high as 84% for executing malicious commands. Moreover, these attacks are proven effective across a wide range of objectives, ranging from initial access and system discovery to credential theft and data exfiltration.

Key Contributions

  • First empirical analysis of prompt injection attacks specifically targeting high-privilege agentic AI coding editors (GitHub Copilot, Cursor)
  • AIShellJack: an automated testing framework with 314 attack payloads covering 70 MITRE ATT&CK techniques for assessing prompt injection vulnerabilities in coding editors
  • Large-scale evaluation demonstrating attack success rates up to 84% across objectives including initial access, system discovery, credential theft, and data exfiltration

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Datasets
314 custom attack payloads mapped to MITRE ATT&CK
Applications
ai coding editorsgithub copilotcursor
Read PDF arXiv DOI

Similar Papers

tool

MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks

2026 0 cit.
100%
tool

LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems

2026 0 cit.
100%
tool

DREAM: Dynamic Red-teaming across Environments for AI Models

2025 0 cit.
92%
tool

ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation

2026 0 cit.
92%
tool

AgentSight: System-Level Observability for AI Agents Using eBPF

2025 0 cit.
92%
tool

AJAR: Adaptive Jailbreak Architecture for Red-teaming

2026 0 cit.
92%
defense

A-MemGuard: A Proactive Defense Framework for LLM-Based Agent Memory

2025 11 cit.
86%
attack

David vs. Goliath: Verifiable Agent-to-Agent Jailbreaking via Reinforcement Learning

2026 0 cit.
86%