Securing AI-Generated Bash Scripts Before You Run Them

Bash is the easiest language for AI to write and the easiest language to get devastating output from. A 20-line script that "just cleans up old files" can recursively delete a home directory because the model assumed a variable would always be set. A "simple log shipper" can write your secrets to a remote server because the model used set -x for debugging and forgot to remove it.

I have run AI-generated bash that I should not have. Most engineers I know have too. After enough close calls, there's a short checklist that catches the worst of it. This is that checklist.

The five things to check before running any AI-generated bash

1. Does it start with a strict pragma?

The first lines of any non-trivial bash script should be: