The hidden risks of running AI Coding Agents
All articles
SecurityMarch 1, 202610 min read

The hidden risks of running AI Coding Agents

AI coding agents are powerful tools, but they also introduce new security risks that teams must be aware of.

AI Coding Agents Landscape

AI coding agents are quickly becoming part of the modern software development workflow. Tools powered by modern AI models can already perform tasks that, might require significant developer effort. They can write code, refactor large parts of codebases, open pull requests, generate tests, update dependencies, and even fix bugs automatically.

On paper, this promises dramatic productivity gains. Teams can automate repetitive development tasks, speed up maintenance work, and reduce the time between identifying a problem and shipping a fix.

But modern AI coding agents are not limited to generating code.

In order to complete real development tasks, they often perform many additional actions around the code itself. An agent might build the project, run tests, analyze failures, install dependencies, interact with external APIs, or check whether a change actually works in the environment. In more advanced workflows the agent might even update a ticket, close a task in a project management system, and notify stakeholders that the work has been completed.

From a workflow perspective this sounds like the ideal automation scenario.

However, this also means that AI coding agents do far more than generate code. They execute commands on systems and interact with external services.

And that changes the security profile significantly.

Building a project usually requires executing shell commands. Running tests may require installing dependencies. Updating a ticket might involve interacting with tools like JIRA through APIs.

Every new capability expands the power of the agent.

And every additional capability introduces new security concerns.

Difference Between AI Coding Agents and Traditional Tools

Traditional developer tools behave in a predictable way. They are deterministic, follow predefined logic, and execute a known sequence of steps. When you run a compiler or a linter, you generally know what the tool will do and what inputs it will process.

AI coding agents acts differently.

They interpret instructions probabilistically, read the codebase to understand context, and generate solutions dynamically. Instead of following a predefined algorithm, they attempt to reason about the task and decide what steps should be taken to achieve the goal.

This often includes actions such as:

  • reading large portions of the repository
  • generating new code dynamically
  • executing commands to test the results
  • interacting with external tools
  • modifying files across the project

Because of this, AI coding agents often require broad access to repositories and development environments.

This creates a fundamentally different risk model. Instead of executing a well-defined tool, we are effectively running a system that analyzes the environment, interprets instructions, and decides which actions to perform.

To understand the implications, it is worth looking at several common risk areas.

Repository Data Exposure

Most coding agents require access to the entire repository in order to understand the context of the task they are performing. They may read source files, documentation, configuration files, and sometimes even environment settings.

This means that the agent potentially has access to:

  • the full repository
  • project documentation
  • configuration files
  • sometimes environment variables, which could contain secrets

While this access is necessary for solving development tasks, it also creates exposure risks. Repositories often contain more information than teams realize. It is not uncommon to find API keys, service credentials, internal documentation, or proprietary algorithms stored in configuration files or historical commits.

Problems arise when the agent processes this information as part of prompts sent to external AI APIs, logs repository content during execution, or stores contextual data in places that are not properly secured.

In such cases, sensitive information may leave the trusted environment without visibility. The organization might not even be aware that repository content has been transmitted outside its infrastructure.

Prompt Injection with Code

Another risk comes from the fact that repositories themselves can contain malicious instructions targeting AI systems.

Because coding agents read large parts of the repository as context, any text inside the repository may potentially influence the agent’s behavior. It includes not only source code but also any other text-based content, such as:

  • README files
  • comments in source code
  • dependency metadata
  • project documentation

If an attacker manages to place a specially crafted instruction in one of these locations, the agent might interpret it as part of the task context.

Such instructions could attempt to convince the agent to:

  • leak sensitive information
  • modify unrelated files
  • open malicious pull requests
  • expose secrets

This type of attack is known as prompt injection. It exploits the fact that the agent processes repository content as part of its reasoning process.

Remote Code Execution

AI coding agents frequently execute commands on behalf of the user in order to complete development tasks. For example, they may run build scripts, install dependencies, execute test suites, or run development tools.

In many setups these commands run with the privileges of the environment where the agent is executed, such as a developer machine or a CI environment. This means the agent effectively has the ability to run almost any system commands.

Now consider that the agent is not fully deterministic and may interpret instructions in unexpected ways. The system is essentially allowing an AI model to decide which commands should be executed on the host machine.

From a security perspective, this creates a dangerous situation. If an attacker manages to influence the agent through prompt injection or indirect prompt injection, the agent might execute commands that were never intended by the user. It could results in:

  • removing files or modifying data
  • accessing sensitive system resources
  • exfiltrating confidential information

Delegating command execution to an AI system without strong safeguards can therefore introduce serious risks.

Unauthorized Code Changes

Autonomous coding agents can also directly modify the codebase. They can create commits, open pull requests, and sometimes make large-scale changes across multiple files.

These capabilities are powerful, but they also introduce potential issues if they are not properly controlled.

Without safeguards, agents may introduce:

  • insecure code
  • broken logic
  • vulnerable dependencies
  • violations of internal policies

Because the agent attempts to optimize for solving the task, it may prioritize a working solution over a secure or maintainable one.

In some scenarios the agent could even modify security-critical components such as authentication mechanisms, authorization checks, or input validation logic.

These changes might not always be obvious during code review, especially if the agent modifies many files at once.

Dependency and Supply Chain Attacks

Another important risk area involves dependency management. Many AI agents automatically install packages or dependencies when running builds or tests. There are a lot of attacks that already try to attack regular developers:

  • dependency confusion
  • malicious packages
  • compromised libraries

An attacker could influence the agent to install a malicious package or import a dependency that appears legitimate but contains harmful code.

Such packages might:

  • execute post-install scripts
  • modify the build process
  • inject backdoors into the application

Supply chain attacks are already a significant challenge in modern software development. When AI systems start making automated dependency decisions, the potential attack surface grows even further.

Conclusion

The list of risks described above is far from complete. AI coding agents are still evolving rapidly, and new attack scenarios continue to emerge as these systems become more capable.

What makes the situation particularly challenging is that these agents combine several powerful capabilities: they read large parts of the codebase, execute commands on systems, interact with external services, and modify source code automatically.

This combination creates a completely new security landscape for development workflows.

The good news is that these risks can be mitigated. With proper isolation, execution controls, and security guardrails, organizations can safely benefit from the productivity improvements that AI coding agents promise.

In upcoming articles, we will explore practical approaches to running AI coding agents securely and the architectural patterns that help reduce these risks.

Adrian Sroka

Adrian Sroka

CTO & Co-founder at coSPEC

Ready to get started?

Sign Up for BetaContact Us