@krrish612

Deep Copilot’s approval system includes cached shell-command approvals and full autopilot execution modes for trusted workspaces. Under long-running agent sessions, there is a potential privilege-escalation risk where previously approved dangerous shell execution patterns may persist across evolving agent contexts without sufficient contextual revalidation.

The issue becomes especially dangerous because:

shell approvals can become stateful
workflows are multi-turn and autonomous
tools can chain recursively after edits
post-tool hooks inject execution feedback back into the model
MCP servers extend external execution surfaces

This creates a compound trust-escalation surface inside long-running autonomous coding sessions.

cc: @maintainers

Affected areas:

approval manager
run_shell tool
post-tool hooks
MCP integration layer
agent orchestration runtime

Potential attack vectors:

stale dangerous-command approval reuse
prompt-injected shell escalation
malicious MCP tool chaining
approval cache poisoning
recursive hook-triggered execution
context drift during autopilot sessions

Steps to reproduce:

Enable autopilot or auto-edit mode
Approve a dangerous shell pattern once
Trigger multiple autonomous tool-calling loops
Inject modified shell payloads through iterative agent reasoning
Observe whether execution trust persists without semantic revalidation

Expected behaviour:

dangerous shell commands should require contextual revalidation
approval state should expire deterministically
command semantics should be re-evaluated after context drift
recursive execution chains should remain isolated
MCP-triggered execution should enforce separate trust boundaries

Actual behaviour:
The current approval architecture may potentially allow previously trusted execution contexts to persist across evolving orchestration flows, increasing the risk of unintended or escalated shell execution.

Potential impact:

unintended filesystem mutation
privilege escalation inside trusted workspaces
recursive destructive command execution
compromised agent isolation
malicious MCP execution propagation
automated destructive workflow chaining

Suggested fix:

semantic approval hashing
short-lived approval leases
contextual execution attestation
per-tool trust isolation
recursive execution depth limits
approval replay invalidation
separate MCP execution sandboxing

Suggested labels:
security
shell-execution
mcp
agentic-ai
advanced
backend