LLM Agents Should Never Execute Raw Commands

Prompt injection is only a symptom. The real problem is command injection in agent-driven systems. Large Language Models are rapidly becoming the interface between humans and software systems. Developers are building agents capable of triggering automation, managing users, generating reports, and interacting directly with backend infrastructure. The architecture often looks deceptively simple: User ↓ LLM ↓ Generated text ↓ Backend execution At first glance, this seems perfectly reasonable. But there is a fundamental mismatch hiding in this architecture. LLMs generate text. Backend systems execute commands. Treating generated text as if it were a valid command interface introduces a class of risks that are often misunderstood. A Simple Example Imagine an administrative system controlled through an AI assistant. A user asks: Create a new admin user called john The model might generate a command like: CREATE USER john WITH ROLE admin If the backend executes this command directly, everythi