Deep Copilot’s approval system includes cached shell-command approvals and full autopilot execution modes for trusted workspaces. Under long-running agent sessions, there is a potential privilege-escalation risk where previously approved dangerous shell execution patterns may persist across evolving agent contexts without sufficient contextual revalidation.
The issue becomes especially dangerous because:
shell approvals can become stateful
workflows are multi-turn and autonomous
tools can chain recursively after edits
post-tool hooks inject execution feedback back into the model
MCP servers extend external execution surfaces
This creates a compound trust-escalation surface inside long-running autonomous coding sessions.
cc: @maintainers
Affected areas:
approval manager
run_shell tool
post-tool hooks
MCP integration layer
agent orchestration runtime
Potential attack vectors:
stale dangerous-command approval reuse
prompt-injected shell escalation
malicious MCP tool chaining
approval cache poisoning
recursive hook-triggered execution
context drift during autopilot sessions
Steps to reproduce:
Enable autopilot or auto-edit mode
Approve a dangerous shell pattern once
Trigger multiple autonomous tool-calling loops
Inject modified shell payloads through iterative agent reasoning
Observe whether execution trust persists without semantic revalidation
Expected behaviour:
dangerous shell commands should require contextual revalidation
approval state should expire deterministically
command semantics should be re-evaluated after context drift
recursive execution chains should remain isolated
MCP-triggered execution should enforce separate trust boundaries
Actual behaviour:
The current approval architecture may potentially allow previously trusted execution contexts to persist across evolving orchestration flows, increasing the risk of unintended or escalated shell execution.
Potential impact:
unintended filesystem mutation
privilege escalation inside trusted workspaces
recursive destructive command execution
compromised agent isolation
malicious MCP execution propagation
automated destructive workflow chaining
Suggested fix:
semantic approval hashing
short-lived approval leases
contextual execution attestation
per-tool trust isolation
recursive execution depth limits
approval replay invalidation
separate MCP execution sandboxing
Suggested labels:
security
shell-execution
mcp
agentic-ai
advanced
backend
Deep Copilot’s approval system includes cached shell-command approvals and full autopilot execution modes for trusted workspaces. Under long-running agent sessions, there is a potential privilege-escalation risk where previously approved dangerous shell execution patterns may persist across evolving agent contexts without sufficient contextual revalidation.
The issue becomes especially dangerous because:
shell approvals can become stateful
workflows are multi-turn and autonomous
tools can chain recursively after edits
post-tool hooks inject execution feedback back into the model
MCP servers extend external execution surfaces
This creates a compound trust-escalation surface inside long-running autonomous coding sessions.
cc: @maintainers
Affected areas:
approval manager
run_shell tool
post-tool hooks
MCP integration layer
agent orchestration runtime
Potential attack vectors:
stale dangerous-command approval reuse
prompt-injected shell escalation
malicious MCP tool chaining
approval cache poisoning
recursive hook-triggered execution
context drift during autopilot sessions
Steps to reproduce:
Enable autopilot or auto-edit mode
Approve a dangerous shell pattern once
Trigger multiple autonomous tool-calling loops
Inject modified shell payloads through iterative agent reasoning
Observe whether execution trust persists without semantic revalidation
Expected behaviour:
dangerous shell commands should require contextual revalidation
approval state should expire deterministically
command semantics should be re-evaluated after context drift
recursive execution chains should remain isolated
MCP-triggered execution should enforce separate trust boundaries
Actual behaviour:
The current approval architecture may potentially allow previously trusted execution contexts to persist across evolving orchestration flows, increasing the risk of unintended or escalated shell execution.
Potential impact:
unintended filesystem mutation
privilege escalation inside trusted workspaces
recursive destructive command execution
compromised agent isolation
malicious MCP execution propagation
automated destructive workflow chaining
Suggested fix:
semantic approval hashing
short-lived approval leases
contextual execution attestation
per-tool trust isolation
recursive execution depth limits
approval replay invalidation
separate MCP execution sandboxing
Suggested labels:
security
shell-execution
mcp
agentic-ai
advanced
backend