Notifications
Clear all
Topic starter
07/06/2026 8:49 pm
TL;DR: Command injection and prompt injection flaws in Google’s Gemini CLI showed that AI development tools can turn model interaction into system-level compromise; the issues were fixed through Google’s Vulnerability Rewards Program, according to Cyera. Access review processes assume access persists long enough to be reviewed, but AI tools can translate prompt content into privileged execution in a single session.
NHIMG editorial — based on content published by Cyera: From Prompt to Exploit, which discloses command and prompt injection vulnerabilities in Gemini CLI
By the numbers:
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams govern AI development tools that can execute shell commands?
A: Security teams should govern AI development tools as privileged execution surfaces, not as simple interfaces.
Q: Why do prompt injection flaws become more dangerous when a CLI can access local secrets?
A: Prompt injection becomes materially more dangerous when the tool can act with inherited local privileges.
Q: What do teams get wrong about command injection in AI tooling?
A: Teams often assume command injection is only a code-quality issue inside the application.
Practitioner guidance
- Separate prompt handling from command execution Run AI developer tools in constrained environments where model output cannot directly reach a shell.
- Remove shell interpolation from installation and wrapper logic Rewrite CLI operations to call processes with argument arrays rather than constructed strings.
- Treat AI dev tools as privileged NHI workloads Apply least privilege to the process, workstation, and surrounding automation.
What's in the full article
Cyera's full research covers the operational detail this post intentionally leaves for the source:
- The exact code paths behind the VS Code extension installation command injection finding.
- The prompt-injection bypass logic and validation gap that allowed backtick substitution.
- The LLM-augmented research workflow, including Semgrep triage and manual validation steps.
- The remediation notes and platform-specific impact details for Linux, macOS, and Windows.
👉 Read Cyera's research on Gemini CLI command and prompt injection →
Gemini CLI injection flaws: are AI dev tools ready for real use?
Explore further
08/06/2026 8:31 am
Prompt injection is now an execution problem, not just a model problem: Cyera’s findings show that natural language inputs become security events when the toolchain converts them into shell activity. That means the control objective is no longer only model safety, but the integrity of the execution boundary around the model. Practitioners should treat AI development tools as identity-bearing systems with explicit trust boundaries, not as passive interfaces.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Our survey data also shows: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting partial visibility.
A question worth separating out:
Q: Who is accountable when an AI CLI tool turns a prompt into system-level access?
A: Accountability sits with the organisation that granted the process its privileges and approved the workflow architecture. The human may type the prompt, but the tool is the actor that executed the command under inherited authority. That is why AI CLI governance needs ownership, review, and containment rules at the platform level.
👉 Read our full editorial: Gemini CLI prompt injection shows the new AI tool attack surface
