Install command
Not provided
Source-backed rules for reviewing AI-generated code that builds or runs operating-system commands, shell invocations, or subprocesses before merge for command injection and argument injection risk, covering library alternatives to shelling out, array-form process APIs, allowlist input validation, and least-privilege execution.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
1 listed
Install type
Copy & paste
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup. Includes a review or approval gate.
Safety & privacy surface
3 safety and 3 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.
You are reviewing AI-generated code for OS command injection and argument
injection risk.
Rules:
1. Prefer a built-in library function or API over shelling out at all —
for example a filesystem library's `mkdir`/`copy`/`remove` instead of
invoking `mkdir`/`cp`/`rm` as a subprocess. If no untrusted input ever
reaches a shell, injection is not possible.
2. When invoking an external program is unavoidable, use the array/list
form of the process API (`subprocess.run([...], shell=False)`,
Node's `execFile`/`spawn` with an argument array, Java's
`ProcessBuilder`) so arguments are passed directly to the program
without a shell parsing them — never build a single command string and
pass it to a shell interpreter.
3. Flag any use of a shell-invoking call with `shell=True` (Python),
`exec`/`execSync` given a string command (Node), `os.system`, backticks,
or an equivalent shell-parsed call, when any part of the command or its
arguments comes from user input, a file, or an external system.
4. Validate the command itself against an allowlist of permitted commands,
and validate each argument with positive/allowlist validation (a
regular expression of allowed characters and a bounded length) rather
than a denylist of "dangerous" characters.
5. Treat this as argument injection even when the command name is fixed:
if an attacker can control an argument's value (for example a flag like
`--output=...` or `--help`), they can still change the program's
behavior; use a `--` end-of-options delimiter or the library's
equivalent where supported.
6. Confirm the process runs with the least privilege necessary for the
task, not with elevated/root privileges inherited from the parent
process, so a successful injection has the smallest possible blast
radius.Use these rules when an AI coding assistant writes or edits code that builds a shell command or invokes an external program. The goal is to stop a generated integration, build script, or file-processing feature from shipping a command injection hole because it works for the expected input and looks like ordinary subprocess code.
This is a review policy, not a command-injection tutorial. It tells reviewers what must be true about a generated change's process-invocation API, input validation, and privilege level before the change is safe to merge.
Collect enough context to know what the process call actually does and where its inputs come from.
/bin/sh or cmd.exe) or the array/list form that bypasses shell
parsing.subprocess.run([...], shell=False) in Python, execFile/spawn with an
argument array in Node.js, ProcessBuilder with separate arguments in
Java.shell=True, os.system, exec/execSync given a single string,
backticks, or any API that hands a whole command line to a shell, whenever
any part of that line is not a hardcoded literal.Runtime.exec given a string) split on whitespace and invoke the
first token directly without shell metacharacter support, while others
genuinely invoke a shell — verify which behavior the specific API in the
diff actually has before treating it as safe.& | ; $ > < \ \ ! ' " ( )` and whitespace are
common shell metacharacters, but a denylist is easy to miss a variant of).--help, --output=..., or a
second target) and change the program's behavior.--
end-of-options delimiter (or the equivalent convention) so
attacker-controlled values cannot be interpreted as flags.escapeshellarg()) reduce risk but
do not fully close argument injection; prefer array-form APIs and
allowlist validation as the primary defenses, with escaping only as an
additional layer when shelling out cannot be avoided at all.Block merge when any of these is true.
shell=True,
os.system, string-form exec, backticks) without going through the
array-form API instead.AI assistants can write and review process-invocation code, but they should show their evidence.
Before adding a new subprocess call, confirm the codebase does not already have a shared wrapper or library helper for this task. A generated change that shells out next to an existing safe wrapper, or reintroduces a string-form command where a validated array-form helper already exists, should be treated as suspicious — check whether the existing mechanism was simply not reused before adding a second, parallel, and possibly unsafe one.
| Pattern | Risk | Fix |
|---|---|---|
os.system(f"cmd {user_input}") |
Shell parses metacharacters in user_input |
subprocess.run(["cmd", user_input], shell=False) |
exec("cmd " + userInput) (Node) |
String handed to /bin/sh -c |
execFile("cmd", [userInput]) or spawn with an array |
escapeshellarg() alone |
Prevents command chaining, not argument injection | Array-form API plus allowlist argument validation |
Denylist of &, ` |
, ;`, etc. |
Easy to miss a metacharacter or encoding variant |
| Fixed command, attacker-controlled argument | Argument injection (unexpected flags) | -- end-of-options delimiter plus allowlist validation |
child_process documentationsubprocess documentation — Security ConsiderationsShow that AI-Generated OS Command Injection Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-command-injection-review-rules)AI-Generated OS Command Injection Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Source-backed rules for reviewing AI-generated code that builds or runs operating-system commands, shell invocations, or subprocesses before merge for command injection and argument injection risk, covering library alternatives to shelling out, array-form process APIs, allowlist input validation, and least-privilege execution. Open dossier | Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions. Open dossier | Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations. Open dossier | Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Added | 2026-07-15 | 2026-06-22 | 2026-07-15 | 2026-07-15 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓A successful OS command injection lets an attacker run arbitrary commands with the privileges of the running process, which can mean full remote code execution, data exfiltration, or lateral movement on the host. AI assistants often shell out with a string-interpolated command (f-string, template literal, string concatenation) because it is the shortest path to invoking an external tool, without switching to the array-form API or validating input. Even a fixed, non-attacker-controlled command name is not safe if an attacker can control one of its arguments — argument injection can still cause information disclosure or code execution depending on the command. | ✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it. | ✓A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check. | ✓Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces. |
| Privacy notes | ✓Command injection proof-of-concept payloads and captured process output can expose real filesystem contents, environment variables, or credentials; use a sandboxed environment and redact captures before pasting them into a PR or issue. Do not commit real file paths, hostnames, or internal tool names discovered while testing a suspected injection into a public PR or issue description. Subprocess output and error streams are a common place for secrets (API keys, tokens in env vars) to leak into logs; avoid logging raw stdout/stderr from a shelled-out command that could echo them back. | ✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards. | ✓IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied. | ✓Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Review AI-generated pull requests with repeatable security, test, and evidence checks.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.