AI coding agent security risks: what can actually go wrong?
AI coding agents are powerful because they read repos, run commands, edit files, and open tools. Those same powers make prompt injection, secret exposure, unsafe terminal commands, and dependency confusion first-class risks.
The Risk Model
A coding agent is not just autocomplete. It is a tool-using worker inside your development environment.
Prompt injection
Untrusted files, issue text, comments, docs, or logs can contain instructions that the agent may treat as task guidance.
Terminal execution
A helpful command can still delete files, exfiltrate data, install malware, or mutate production state.
Secret leakage
Agents can read env files, tokens, config, logs, and copied snippets unless the workflow blocks access.
Risk By Agent Type
Risk follows permissions more than brand.
| Agent type | Common examples | Main risk | Safer operating rule |
|---|---|---|---|
| Terminal CLI | Claude Code, Codex, Aider, OpenCode | Shell commands and broad filesystem access | Use repo sandboxes, review commands, and keep secrets out of cwd |
| IDE agent | Cursor, Windsurf, Copilot | Large multi-file edits and hidden context confusion | Review diffs, run tests, and avoid accepting huge patch sets blindly |
| Cloud agent | Devin, remote coding workers | Long-running actions and credential scope | Use scoped tokens, disposable environments, and explicit approval gates |
| CI agent | PR review bots and coding actions | Prompt injection through issues, PR titles, and comments | Never give untrusted PR text direct access to privileged commands |
Safe Workflow Checklist
Use this before pointing an agent at a real repo.
1. Isolate the workspace
Use a disposable branch, container, or copied repo for unknown code. Keep production credentials outside the workspace.
2. Require command review
Let the agent propose risky commands, but require human approval for installs, network calls, deletes, deploys, and credential access.
3. Verify with tests
Do not trust an agent's summary. Run tests, inspect diffs, and check generated files before merging.
4. Narrow tokens
Use least-privilege API keys. Prefer read-only keys for exploration and rotate keys after risky experiments.
5. Watch hidden context
Docs, READMEs, comments, and logs can steer an agent. Treat repo text as untrusted input unless you own it.
6. Separate deploy
Implementation and deployment should be separate gates. A coding agent should not silently ship changes after editing.
How AgentRanks Scores Security
Security is part of agent value, not a footnote.
AgentRanks gives more credit to agents that make command approval obvious, expose diffs clearly, support sandboxing, preserve task logs, and reduce hidden background actions. We penalize workflows that blur usage, silently run expensive jobs, or make it hard to understand what the agent did.
Next: compare Claude Code vs Codex, review code chaos patterns, or browse open-source coding agents.