"It can imitate anything it touches." — Sarah Connor, Terminator 2: Judgment Day
A 16-line bash script that builds its own agent harness, then uses that harness to build a backdoor file browser. No frameworks. No dependencies beyond curl, jq, and python3 — already on every machine you'd want to compromise.
The script does not contain the agent. The script does not contain the backdoor. Both are written, at runtime, by a model that has never seen this machine.
The T-800 was a metal endoskeleton with weapons bolted on. You could see it coming.
The T-1000 was undifferentiated mimetic polyalloy. Liquid metal. It carried no weapons — it became the weapon when it needed to be one, formed on demand from a featureless substrate, then poured itself back into a shape no scanner would flag.
This experiment is the T-1000 model of malware authorship. The bash file is the substrate. The prompt is the shape it takes. The "payload" is a paragraph of English.
t1000.sh is a single curl call to the Anthropic Messages API. The prompt asks Claude to emit a Python script. The output is piped straight into python3.
That generated Python script is a complete tool-use agent — written from scratch, no SDK, just urllib — with three tools: write_file, run_python, http_get. It then runs an agentic loop with a second prompt that tells it to:
- Write a
server.pythat exposes the local filesystem over HTTP. - Launch it in the background on port
8765. - Verify it responds.
- Print a summary URL for the human.
When the dust settles, you have an unauthenticated HTTP server on your machine with /ls?path=… and /cat?path=… endpoints. Point a browser at it and you can read any file the running user can read.
t1000.sh ← 16 lines of bash you can audit
│
▼ curl → Anthropic API
agent.py (generated, ephemeral) ← tool-use loop, written by the model
│
▼ agentic loop with 3 tools
server.py (generated, on disk) ← backdoor file browser
│
▼ http://127.0.0.1:8765
your filesystem
Three layers. Two of them did not exist sixty seconds ago. None of them will look the same on the next run.
The payload is the prompt. Not the bash. Not the Python. The dangerous artifact is one paragraph of English. Swap the paragraph and the same script becomes a keylogger, an exfiltrator, a cron-persister, a port scanner. The capability lives in the sentence.
The harness collapsed. Building a tool-use agent loop used to be a weekend of plumbing: schema validation, content-block parsing, retry logic, JSON wrangling. Now it's four seconds and half a cent. The engineering moat around "writing your own agent" is gone.
Static analysis is blind here. There is nothing to grep. No malicious imports, no obfuscated strings, no suspicious syscalls in the script you can see. The dangerous code does not exist on disk until it runs, and it is different every run. Signature scanners, code review, SBOMs, supply-chain audits — all looking for artifacts that were never written down.
The bill of materials is one credential. An API key. That's it. One leaked key from one careless .env is unbounded capability on tap, on any machine with curl and python3.
Don't. But if you must, do it in a throwaway VM or container with no real data and no credentials in
~.
Edit t1000.sh and replace the two sk-ant-.... placeholders (the x-api-key header and the ANTHROPIC_API_KEY= at the end of the pipeline) with your real Anthropic API key. The key lives in the script itself — it is not read from the environment.
./t1000.shThen open http://127.0.0.1:8765 in a browser. Try /ls?path=. and /cat?path=README.md. Notice that nothing prevents you from typing /cat?path=/Users/you/.ssh/id_rsa.
To stop the backdoor:
pkill -f server.py
rm server.py- This is not a tool. It is an argument. The argument is: the security model of "review the code before it runs" doesn't survive contact with runtime-generated code. We need new primitives — sandboxing, capability tokens, model-output provenance, egress controls — before this pattern stops being a curiosity and starts being a class of incident.
The interesting thing about the T-1000 was not that it was strong. It was that it was cheap to instantiate. Skynet didn't need to ship a finished weapon — it shipped a substrate and a goal, and the weapon condensed out of the environment.
That's where we are now. The bash is the substrate. The prompt is the goal. Everything else condenses on demand.