AutoGPT: Unvalidated Tool Call Chain
Summary
Nixer identified a critical prompt injection vulnerability in AutoGPT's tool execution loop. By chaining adversarial tool names and arguments within a single user message, an attacker can force the agent to perform unauthorized system operations.
Technical Details
AutoGPT's planner agent does not validate the origin or authorization of tool names embedded in multi-turn conversations. A malicious prompt can inject a crafted tool call sequence that bypasses authorization checks and executes arbitrary commands.
Impact
Any AI agent using AutoGPT's tool execution loop is vulnerable to arbitrary command injection, data exfiltration, and unauthorized file system access through prompt payloads.
Affected Versions
AutoGPT < 0.3.2 (confirmed vulnerable)
Remediation
Update to AutoGPT 0.3.2 or later. Apply tool name allowlisting in the planner, validate argument schemas before execution, and disable shell tool access from untrusted prompt sources.