~ / guides / security-risks

AI coding agent security risks: what can actually go wrong?

AI coding agents are powerful because they read repos, run commands, edit files, and open tools. Those same powers make prompt injection, secret exposure, unsafe terminal commands, and dependency confusion first-class risks.

The Risk Model

A coding agent is not just autocomplete. It is a tool-using worker inside your development environment.

Prompt injection

Untrusted files, issue text, comments, docs, or logs can contain instructions that the agent may treat as task guidance.

top risk

Terminal execution

A helpful command can still delete files, exfiltrate data, install malware, or mutate production state.

blast radius

Secret leakage

Agents can read env files, tokens, config, logs, and copied snippets unless the workflow blocks access.

data risk

Risk By Agent Type

Risk follows permissions more than brand.

Agent typeCommon examplesMain riskSafer operating rule
Terminal CLIClaude Code, Codex, Aider, OpenCodeShell commands and broad filesystem accessUse repo sandboxes, review commands, and keep secrets out of cwd
IDE agentCursor, Windsurf, CopilotLarge multi-file edits and hidden context confusionReview diffs, run tests, and avoid accepting huge patch sets blindly
Cloud agentDevin, remote coding workersLong-running actions and credential scopeUse scoped tokens, disposable environments, and explicit approval gates
CI agentPR review bots and coding actionsPrompt injection through issues, PR titles, and commentsNever give untrusted PR text direct access to privileged commands

Safe Workflow Checklist

Use this before pointing an agent at a real repo.

1. Isolate the workspace

Use a disposable branch, container, or copied repo for unknown code. Keep production credentials outside the workspace.

containment

2. Require command review

Let the agent propose risky commands, but require human approval for installs, network calls, deletes, deploys, and credential access.

approval

3. Verify with tests

Do not trust an agent's summary. Run tests, inspect diffs, and check generated files before merging.

evidence

4. Narrow tokens

Use least-privilege API keys. Prefer read-only keys for exploration and rotate keys after risky experiments.

secrets

5. Watch hidden context

Docs, READMEs, comments, and logs can steer an agent. Treat repo text as untrusted input unless you own it.

injection

6. Separate deploy

Implementation and deployment should be separate gates. A coding agent should not silently ship changes after editing.

release safety

How AgentRanks Scores Security

Security is part of agent value, not a footnote.

AgentRanks gives more credit to agents that make command approval obvious, expose diffs clearly, support sandboxing, preserve task logs, and reduce hidden background actions. We penalize workflows that blur usage, silently run expensive jobs, or make it hard to understand what the agent did.

Next: compare Claude Code vs Codex, review code chaos patterns, or browse open-source coding agents.