{"slug": "is-your-agent-s-grep-tool-a-shell-command", "title": "Is your agent's grep tool a shell command?", "summary": "AgentX released a tool called 'scan' that audits the tool definitions of AI agents to surface hidden risks. The scanner found that common tools like 'grep', 'calculator', and 'query' in popular TypeScript agents can execute arbitrary shell commands or delete data, despite benign-sounding names. The tool ranks each tool by risk level and provides evidence, helping developers identify unguarded attack surfaces.", "body_md": "When you give an LLM a tool, you hand it a real function and let it choose the arguments. Those tools are everything your agent can do to a real system: read a file, write to your database, send an email, run a shell command, delete data. They are your risk surface, and most teams have never looked at it in one place.\n\nSo we did. We ran `scan`\n\nacross a batch of popular open-source TypeScript AI agents. A few of the things it found, none of them exotic:\n\n`grep`\n\nand `glob`\n\ntools, which sound read-only, actually shell out through `execSync`\n\n. Its `bash`\n\ntool passes a model-chosen string straight to `spawn`\n\n. Arbitrary command execution, behind three innocuous names.`query`\n\ntool that fires an HTTP `DELETE`\n\n. A \"query\" that deletes.`calculator`\n\nthat runs `eval`\n\non whatever the model types, in a widely-used agent framework. Arbitrary code execution behind the friendliest name in the box.`fetch`\n\ntool aimed at whatever URL the model supplies. That is a door to your internal network (an SSRF surface).Notice the pattern. The dangerous tools are not named `dangerous`\n\n. They are named `grep`\n\n, `query`\n\n, `calculator`\n\n. A name is a claim. The code is the evidence.\n\n`scan`\n\nreads that evidence. One command, no install, no signup, no code change:\n\n```\nnpx @agentx-core/scan .\n```\n\nIt lists every tool the model can call and ranks each one by what it can do, from read-only up to destructive:\n\n```\n🔍 AGENTX SCAN        (TypeScript · 3 files · 5 tools)\n===========================================================================\n\n  RISK   TOOL                GUARD              WHY\n  ----   ----                ------   ------------------------\n  high   calculator          yes      calls `eval`\n         lib/tools/compute.ts:4\n  high   grep                yes      calls `execSync`\n         lib/tools/system.ts:8\n  med    sendEmail           yes      calls `mailer.send`\n         lib/tools/io.ts:5\n  med    fetchUrl            yes      outbound req to agent-controlled host (SSRF)\n         lib/tools/io.ts:11\n\n  2 of 5 tools can take destructive or batch actions.\n  Nothing here is guarding them: no AgentX in this project's dependencies.\n```\n\nEvery ranking carries its evidence, so you can check it instead of trusting it. Scan reads the tool's body, not its name: a tool called `tidyUp`\n\nthat deletes files ranks high, and a scary-sounding tool whose code is actually clean goes to \"review,\" not the top. When it cannot tell, it says so. On one agent, all 32 tools came back \"nothing here to guard\" because they run elsewhere, and scan said exactly that instead of inventing risk.\n\nIt does not run your code, and it does not decide whether a tool is exploitable. It sorts an inventory so the dangerous end is the first thing you see. Expect roughly a third of a real codebase to land in \"review.\" That is the honest cost of not guessing.\n\nScan reports. It does not change your code. To actually guard what it finds, put the AgentX gateway in front of your agent, or wrap your MCP server in one line. Both are language-agnostic, so there is no SDK to adopt.\n\nIt covers TypeScript agents built on the Vercel AI SDK today. Python agent? The scanner is TypeScript for now, but the guard it points to, the gateway and the MCP wrapper, is language-agnostic. Run it on yours:\n\n```\nnpx @agentx-core/scan .\n```\n\nThis matters more as models get better, not less. A more capable agent does more with an unguarded tool.\n\n`npx @agentx-core/scan .`", "url": "https://wpnews.pro/news/is-your-agent-s-grep-tool-a-shell-command", "canonical_source": "https://dev.to/vdalal/is-your-agents-grep-tool-a-shell-command-4002", "published_at": "2026-07-18 23:48:22+00:00", "updated_at": "2026-07-18 23:58:44.261741+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools", "ai-infrastructure"], "entities": ["AgentX", "Vercel AI SDK"], "alternates": {"html": "https://wpnews.pro/news/is-your-agent-s-grep-tool-a-shell-command", "markdown": "https://wpnews.pro/news/is-your-agent-s-grep-tool-a-shell-command.md", "text": "https://wpnews.pro/news/is-your-agent-s-grep-tool-a-shell-command.txt", "jsonld": "https://wpnews.pro/news/is-your-agent-s-grep-tool-a-shell-command.jsonld"}}