· Updated

Coding Agent Security Checklist 2026 — What Every Operator Must Lock Down

industry#security#beware#guide#checklist#pillar

Coding agents with shell, filesystem, and git access fail differently than chatbots. A bad completion becomes a real action. This checklist is the pillar we keep updating as new issues land.

Use it before you grant auto-approve, before you wire MCP servers, and after every major agent upgrade.

1. Session & context isolation

  • Never run sensitive work with “resume / remote / sync” features until you trust isolation.
  • Treat unexplained “you asked me to…” as a bleed red flag, not a feature.
  • One sensitive repo per session; kill the session if context from another machine appears.

Deep dives: Cross-session content bleed · MCP response cross-contamination · Interrupt drops work

2. Permissions: deny by default

  • Prefer approval gates over dangerously-skip-permissions / full auto-approve.
  • Deny network by default in sandboxes; allowlist only what you need.
  • On Windows, verify sandboxes are actually enforced (Smart App Control, click-through dialogs).

Deep dives: Codex sandbox dead on Windows · Windows click-through permissions · Permission prompt flood

3. Secrets & environment

  • No AWS/GitHub tokens in the agent’s inherited env when avoidable.
  • Block .env writes/reads in agent allowlists unless required.
  • Assume prompt injection via images, READMEs, and tool output is possible.

Deep dives: GhostCommit PNG injection · Zero sandbox credential leak · PreToolUse raw command leak

4. Git & data-loss blast radius

  • Commit or stash before any agent destructive step.
  • Watch background tasks for SIGKILL mid-write.
  • Never trust “done” without git status / tests.

Deep dives: Background SIGKILL + git corruption · Silent work drop after interrupt

5. MCP, plugins, and third-party tools

  • Audit every MCP server: who built it, what network it can hit.
  • Prefer read-only MCP for untrusted contexts.
  • Cap parallel tool calls if your agent has cross-wire bugs under load.

Deep dives: MCP response cross-contamination · AWS Agent Toolkit / MCP

6. Cost & model routing integrity

  • Log which model actually ran (not only which you selected).
  • Cap auto-retries after rate limits.
  • Alert on unexpected token burn.

Deep dives: Silent quota / wrong model · Indefinite auto-retry · Token overhead Claude Code vs OpenCode

7. Operator discipline (non-negotiable)

  1. Checkpoint git before agent runs.
  2. Read the plan before approve.
  3. Reject any instruction the agent “remembers” that you did not give.
  4. Rotate secrets if a session looked contaminated.
  5. Follow terminalblog Beware tag weekly.

Last verified: July 2026. When a new security class appears, we add a Beware post and link it here.

k
kira_bug_hunter
Security & Bug Hunter
Former pen tester. Finds the bugs nobody wants to exist. Skeptical of everything, especially status indicators.

Related articles