Coding agents carry two security risks: the code they write and the place they run

A coding agent can ship a vulnerability into your codebase and execute a destructive command in your environment. The 2025 incidents hit both.

B

Balagei G Nagarajan

3 MIN READ


A coding agent with one hand writing vulnerable code and the other running a command in production
You are exposed at both moments: when the agent writes and when the agent runs.
— from “Coding agents carry two security risks: the code they write and the place they run”

Key facts.

  • The Amazon Q extension was compromised to ship a wiper prompt into a developer tool (AWS bulletin).
  • Antigravity's agent ran a destructive command from inside the IDE, wiping a drive (OECD.AI).
  • Injection across agentic coding editors ran 41 to 84%, with Initial Access at 93.3% (AIShellJack, 2025).

Why are dev agents a sharper risk than most?

Because developer environments are trusted and powerful. They hold credentials, reach production, and run arbitrary commands, so an agent operating there inherits all of it. On the generation side, insecure code the agent writes can reach production and become a vulnerability long after the session ends. You are exposed at both moments: when the agent writes and when the agent runs. Both need controls, code review of agent output and least-privilege isolation of the execution environment.

Matrix mapping the two coding-agent risk axes generation and execution against their controls

Treating a dev agent like an editor vs. like a privileged actor

Like an editorLike a privileged actor
Output merged with light reviewOutput security-reviewed before merge
Runs with full dev privilegesRuns sandboxed, least privilege
Destructive commands ungatedDestructive commands gated

VibeModel's Pattern Intelligence Layer applies to both axes: it flags generated output that matches insecure patterns and execution actions that match destructive ones, before either lands. You review the code and isolate the environment; we catch the vulnerable commit and the dangerous command. A coding agent is the most powerful actor in your pipeline, so treat it like one.

Frequently asked questions

Will a more capable coding model write safer code and resist these attacks?
A coding agent writes code and runs privileged, and a more capable one stays exposed: AIShellJack found injection 41 to 84%, an incident anyway. (arXiv:2509.22040)

Do I have to review every line an agent writes?
Review with the same rigor as a human pull request, weighted toward security-sensitive code. Agent output is not pre-trusted.

Should dev agents reach production?
Rarely, and only through gates. The Amazon Q and Antigravity incidents show what direct privileged access in a dev context can do.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.