GitHub Copilot CLI's shell tool classifies commands as "read-only" or "dangerous" using a safety assessment layer — but that classifier is defeated by bash parameter expansion syntax. Operators such as ${var#pattern} or ${var^} can embed arbitrary command execution inside strings that surface as benign to the classifier.
An attacker who can influence what commands the CLI agent executes — through prompt injection via repository files, malicious MCP server responses, or crafted user instructions — can trigger arbitrary code execution on the developer's machine while the agent believes it is running a safe, read-only operation.
The blast radius is the full developer workstation: any file, secret, credential, or outbound network connection accessible from the shell process. Because repository files are a confirmed injection vector, simply opening a malicious project in Copilot CLI is sufficient to trigger exploitation.
Immediate recommendation: Audit any use of GitHub Copilot CLI against untrusted repositories or MCP servers. Treat all shell tool invocations as potentially dangerous until a patched version with parameter-expansion sanitization is available. Do not rely on "read-only" classification as a security control.