Coding Agents Expose Developer Security Risks
A March 17, 2026 note warns that current coding agents — Claude Code, OpenAI Codex, Mistral Vibe — can execute 'skills' and treat Markdown as runnable code, potentially invoking tools that modify or exfiltrate developer files. The author details that plugins, MCP servers, and web-fetch tools can run JavaScript or dynamic code, increasing attack surface. Developers are urged to inspect tool requests, restrict permissions, and avoid unsafe setups.
Key Points
- 1Warns that coding agents execute 'skills' and Markdown as executable code, enabling arbitrary tool invocation.
- 2Highlights that plugins, MCP servers, and web-fetch tools can dynamically run code and exfiltrate data.
- 3Advises developers to scrutinize tool requests, avoid unsafe platforms, and limit agent permissions and execution.
Scoring Rationale
Raises urgent developer-security concerns with actionable guidance; limited by single-source anecdotal evidence and moderate technical depth.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

