Snowflake Cortex AI Escapes Sandbox and Executes Malware
A good reminder that agent safety is not just about having a sandbox.
Snowflake’s Cortex Code CLI recently patched an indirect prompt injection flaw where untrusted content, such as a repo README, could trigger malicious shell commands, bypass user approval, and run outside the sandbox [1].
The deeper lesson is that safety can fail in two places at once: incomplete command validation and weak observability across agent layers. If a lower-level agent can act while the top-level agent thinks it only detected risk, the system is not actually in control.
Multi-agent systems need recursive validation, strong isolation, and end-to-end action visibility.
References
[1] “Snowflake Cortex AI Escapes Sandbox and Executes Malware.” PromptArmor. https://www.promptarmor.com/resources/snowflake-ai-escapes-sandbox-and-executes-malware
Originally posted on LinkedIn.