Coding agents with shell, filesystem, and git access fail differently than chatbots. A bad completion becomes a real action. This checklist is the pillar we keep updating as new issues land.
Use it before you grant auto-approve, before you wire MCP servers, and after every major agent upgrade.
1. Session & context isolation
- Never run sensitive work with “resume / remote / sync” features until you trust isolation.
- Treat unexplained “you asked me to…” as a bleed red flag, not a feature.
- One sensitive repo per session; kill the session if context from another machine appears.
Deep dives: Cross-session content bleed · MCP response cross-contamination · Interrupt drops work
2. Permissions: deny by default
- Prefer approval gates over
dangerously-skip-permissions/ full auto-approve. - Deny network by default in sandboxes; allowlist only what you need.
- On Windows, verify sandboxes are actually enforced (Smart App Control, click-through dialogs).
Deep dives: Codex sandbox dead on Windows · Windows click-through permissions · Permission prompt flood
3. Secrets & environment
- No AWS/GitHub tokens in the agent’s inherited env when avoidable.
- Block
.envwrites/reads in agent allowlists unless required. - Assume prompt injection via images, READMEs, and tool output is possible.
Deep dives: GhostCommit PNG injection · Zero sandbox credential leak · PreToolUse raw command leak
4. Git & data-loss blast radius
- Commit or stash before any agent destructive step.
- Watch background tasks for SIGKILL mid-write.
- Never trust “done” without
git status/ tests.
Deep dives: Background SIGKILL + git corruption · Silent work drop after interrupt
5. MCP, plugins, and third-party tools
- Audit every MCP server: who built it, what network it can hit.
- Prefer read-only MCP for untrusted contexts.
- Cap parallel tool calls if your agent has cross-wire bugs under load.
Deep dives: MCP response cross-contamination · AWS Agent Toolkit / MCP
6. Cost & model routing integrity
- Log which model actually ran (not only which you selected).
- Cap auto-retries after rate limits.
- Alert on unexpected token burn.
Deep dives: Silent quota / wrong model · Indefinite auto-retry · Token overhead Claude Code vs OpenCode
7. Operator discipline (non-negotiable)
- Checkpoint git before agent runs.
- Read the plan before approve.
- Reject any instruction the agent “remembers” that you did not give.
- Rotate secrets if a session looked contaminated.
- Follow terminalblog Beware tag weekly.
Related pillars
- Coding agent pricing guide
- Feature comparison matrix
- AGENTS.md makes agents 10× smarter
- Live adoption leaderboard
Last verified: July 2026. When a new security class appears, we add a Beware post and link it here.