AI agent path helpers emit unquoted paths to `test -f` / `git -C` / `grep` / `find`, breaking paths with shell metacharacters

[tkshsbcue]

Pre-submit Checks

• I have searched Warp bugs and there are no duplicates
• I have searched Warp known issues page and my issue is not there
• I have an issue with AI and have included the debugging ID (Optional, but helps expedite the AI quality fix). Debugging ID instructions
• I have technical issue and have included the logs (optional, but helps expedite the bug fix). Log instructions

Describe the bug

When the AI agent invokes its grep or file_glob tools, several internal helpers in app/src/ai/blocklist/action_model/execute/
build shell commands by interpolating an agent-supplied path directly into a double-quoted string and handing the result to
Session::execute_command:

// execute.rs
format!("test -f \"{path}\"")                                  // is_file_path (POSIX)
format!("if (Test-Path -PathType Leaf \"{path}\") ...")        // is_file_path (PowerShell)
format!("git -C \"{absolute_path}\" rev-parse")                // is_git_repository

// grep.rs
grep_command.push_str(format!(" \"{target_path}\"").as_str()); // git grep / grep
"Get-ChildItem -Path \"{}\" ... | Select-String ..."           // Select-String

// file_glob.rs
format!("find \"{target_path}\" -type f {pattern_args}")       // find
format!("Get-ChildItem ... -Path \"{target_path}\" ...")       // PowerShell Get-ChildItem

Inside POSIX "...", the shell still expands $VAR, `...`, and $(...). Inside PowerShell "...", the shell still expands $x (including
$env:USERPROFILE) and treats ` specially. POSIX filesystems permit all of these bytes in a path component and PowerShell accepts them
in -Path arguments, so a path containing shell metacharacters is split, expanded, or substituted by the shell before the underlying
tool (test, git, grep, find, Get-ChildItem, Test-Path, Select-String) ever sees it.

is_file_path and is_git_repository are particularly exposed because they are called as side-effects of the grep and file_glob tools
(run_grep → is_file_path + is_git_repository, run_file_glob → is_git_repository) before the user sees the user-facing command, so even
 path values the user never typed flow into the shell verbatim.

The repo already exposes the correct primitive: warp_util::path::ShellFamily::shell_escape covers both POSIX (backslash) and
PowerShell (backtick) families, and From<ShellType> for ShellFamily makes the dispatch one line. The sister helpers
format_change_directory_command (display_chip.rs) and the recently-fixed open_repo_folder / NeedsCd flows already do the right thing;
the agent-side helpers were missed.

This can lead to:
- Probing the wrong path silently (e.g. is_file_path("/tmp/$HOME/x") resolves $HOME and probes a path the user never named — dangerous
 behavior)
- Shell parsing errors when the path contains (, ), ;, &, |, etc.
- Unexpected command execution behavior when the path contains $(...) or backtick command substitution

### To reproduce

**To reproduce**
1. Create a directory whose name contains a shell metacharacter:

mkdir -p "/tmp/innocent\$(touch ~/PROBE_RAN)"
2. Ask the agent to grep or glob inside it, for example:

Search "TODO" in /tmp/innocent$(touch ~/PROBE_RAN)
3. Observe that the agent emits, e.g.:

test -f "/tmp/innocent$(touch ~/PROBE_RAN)"
3. to the user's shell. The shell evaluates $(touch ~/PROBE_RAN) before test -f runs, creating ~/PROBE_RAN.
4. ls ~/PROBE_RAN confirms the substitution ran as a side-effect of the agent's existence check.

### Expected behavior

**Expected behavior**
Every path the agent helpers interpolate into a shell command should be passed as a single, literal shell word — i.e. properly
shell-escaped for the session's shell family — so that the underlying tool always receives the exact path the agent asked about,
regardless of any special characters it contains.

For example, when probing the path:

/tmp/innocent$(touch ~/PROBE_RAN)
is_file_path should emit:

test -f /tmp/innocent\$\(touch\ ~/PROBE_RAN\)
This ensures the shell does not expand or interpret any metacharacters before passing the argument to test, and the probe simply
reports that the (admittedly oddly-named) path does not exist.

The same treatment should apply to is_git_repository, run_git_grep_command, run_grep_command, run_select_string_command,
run_find_command, and run_powershell_get_childitem_command.

### Screenshots, videos, and logs

_No response_

### Operating system (OS)

macOS

### Operating system and version

macOS 26.3.1

### Shell Version

zsh 5.9 (arm64-apple-darwin25.0)

### Current Warp version

v0.2026.05.06.15.42.stable_03

### Regression

No, this bug or issue has existed throughout my experience using Warp

### Recent working Warp date

_No response_

### Additional context

The sister fix for git checkout from the branch chip was tracked in #10639 / PR #10444. The recently-merged fix for cd "{path}" from
the open-folder and conversation-restore flows used the same idiom. This issue covers the remaining unquoted call sites on the
AI-agent tool side

### Does this block you from using Warp daily?

No

### Is this an issue only in Warp?

Yes, I confirmed that this only happens in Warp, not other terminals.

### Warp Internal (ignore): linear-label:b9d78064-c89e-4973-b153-5178a31ee54e

None

[oz-for-oss]

@tkshsbcue

Here's what I found while triaging this issue:

Thanks for the detailed report. This appears reproducible from the current agent command construction: paths containing shell metacharacters can be interpreted by the shell before the search/glob command receives them.

Maintainer details

I concluded that AI agent grep/file_glob path helpers interpolate unescaped paths into shell commands, allowing shell metacharacters in paths to be expanded before the helper command runs..

Triage

This looks like a valid, reproducible agent-tool escaping bug. The current grep/file_glob execution path resolves an agent-supplied path and then probes or searches it by constructing shell commands with the path inside double quotes. That is not sufficient for POSIX shells because $..., $(...), and backticks are still expanded inside double quotes, and the PowerShell branches have the same class of risk for PowerShell metacharacters.

The likely fix is to escape path arguments with the existing shell-family-aware escaping utility before interpolating them into commands, and to cover both the preflight probes and the actual grep/glob commands. Relevant code paths include:

• app/src/ai/blocklist/action_model/execute.rs for is_file_path and is_git_repository
• app/src/ai/blocklist/action_model/execute/grep.rs for run_git_grep_command, run_grep_command, and run_select_string_command
• app/src/ai/blocklist/action_model/execute/file_glob.rs for run_find_command and run_powershell_get_childitem_command
• crates/warp_util/src/path.rs / crates/warp_terminal/src/shell/mod.rs for ShellFamily::shell_escape and From<ShellType>

I searched open issues for matching reports. #11072 is related shell-escaping work in a different surface, but I did not find enough existing open issues with the same agent grep/file_glob helper failure to mark this as a duplicate.

This is my automated analysis and may be incorrect. A maintainer will verify the details.

Powered by Oz

[oz-for-oss]

This issue has been labeled ready-to-implement and is open for contributions involving code changes. If you'd like to tackle it, feel free to open a pull request against this issue. You can also comment @oz-agent on this issue to have the bot draft an implementation PR automatically.