It's probably bad that the system 1) usually prompts you to take shell actions like `curl`, but 2) by default whitelists `env` and `find` that can invoke whatever it wants without approval.

If 2) is fine then why bother with 1)? In yolo mode such an injection would be "working as designed", but it's not in yolo mode. It shouldn't be able to just do `env sh` and run whatever it wants without approval.

Isn’t the news that “curl whatever” will prompt the user for confirmation but “env curl whatever” won’t?

It does circumvent a flimsy control:

"The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval."

Reading the other posts on their site, I don't agree. It's just like any other security research shop. I've found most of their posts quite thorough and the controls being circumvented well explained.

Please email the mods rather than posting accusations of astroturfing. You may well be right, but they specifically direct us to say that to them rather than in comments. The footer contact email works well for this.