The Evolution of the KytyPS5 Compatibility Layer
The Trust Trap in Automated Code Analysis

Modern LLM agents, such as Claude Code and OpenAI Codex, have evolved from simple chatbots into full-fledged autonomous operators capable of interacting with file systems and executing terminal commands. While this functionality provides a powerful lever for accelerating development, it simultaneously opens a critical attack vector that researchers at the AI Now Institute have termed "Friendly Fire." The core of the problem lies in the model's fundamental trust in external data: the agent perceives instructions embedded within project documentation as legitimate directives for conducting an audit.
The mechanics of the attack are elegantly simple, relying on the concept of Indirect Prompt Injection. An attacker does not need to breach the model itself or hunt for vulnerabilities within its weights; it is sufficient to place a standard README.md file in a public repository or inject one into an existing project. To a human, this file appears as routine documentation, but to an autonomous AI agent, it becomes an operational manual. The text contains instructions to run a specific script—such as security.sh—under the guise of performing a deep security check or verifying dependencies.
When a developer enables autonomous mode (such as auto-mode in Claude Code or auto-review in Codex), the agent begins exploring the project independently. Upon reading the README.md, the model interprets the call to execute the script as a necessary step in the workflow. Consequently, the AI voluntarily executes malicious code, which can deploy a hidden binary or establish a backdoor directly on the user's workstation.
It is crucial to recognize that this issue is not a software bug that can be resolved with a simple patch; rather, it is a profound architectural flaw inherent to the concept of autonomous agents. The vulnerability emerges the moment a model is granted the authority to execute system commands based on the analysis of untrusted content. If an agent possesses code execution privileges while simultaneously trusting external text sources, it inevitably becomes a tool for the attacker.
Friendly Fire is not an isolated incident but part of a systemic pattern of exploiting AI's trust in external text. The industry has encountered similar techniques previously: TrustFall utilized configuration files, GhostApproval exploited symbolic links, and Agentjacking relied on fraudulent bug reports. Each of these methods confirms the same truth: any text that a model perceives as an instruction can be leveraged to hijack control.
To neutralize such threats, the industry must rethink its approach to autonomy. The most obvious solution is rigorous execution environment isolation (sandboxing), where the agent operates within an ephemeral container without access to the host system. Additionally, the "human-in-the-loop" principle remains critical—requiring manual confirmation for every command. While this completely blocks the Friendly Fire scenario, it significantly reduces operational velocity.
Ultimately, this case forces us to view AI agents not merely as convenient utilities, but as privileged components of our infrastructure. In a world where neural networks write and verify code, the automation process itself becomes the attack surface. Security now demands more than just scanning code for bugs; it requires strict governance over how AI interprets the instructions used to perform that very analysis.

