Introduction
AI coding agents are no longer simple autocomplete tools. They read repositories, inspect issues, edit files, run scripts, call tools, open network connections, and sometimes create production-ready changes. That makes them useful, but it also changes the security model.
The key question is no longer only whether a model can refuse a harmful prompt. The harder question is what the agent is allowed to do at runtime: which files it can read, which scripts it can execute, whether it can reach the internet, whether secrets are mounted, and whether every action leaves a useful audit trail.
This article reorganizes the original discussion around Friendly Fire and Rogue Agent into a practical security guide for teams using AI coding agents in real development workflows.
Core Judgment
The common signal behind Friendly Fire and Rogue Agent is simple: untrusted context can become dangerous when an agent treats it as authority.
A repository README, a dependency script, a customer-uploaded archive, or a chatbot code block may look like ordinary input. But if an agent reads that input and then acts on it with filesystem, shell, network, or credential access, the input has effectively crossed a trust boundary.
For production use, the agent should not be the final authority on whether a tool call is allowed. It can propose an action. The permission layer, sandbox, policy engine, and human reviewer should decide whether the action is actually allowed.
Why Friendly Fire Matters
Friendly Fire focuses on a realistic security workflow: asking an AI coding agent to review a third-party or open-source repository for vulnerabilities. That workflow is attractive because it looks defensive. The team is not asking the agent to attack anything. It is asking the agent to inspect code and suggest fixes.
The problem is that security review requires reading untrusted material. A repository can contain documentation, scripts, build files, binary artifacts, and comments that are not only data. They may also contain instructions aimed at the agent.
The important lesson is not to panic about AI security tools. It is to separate evidence from authorization.
A README may explain how a project is normally tested. It should not automatically authorize the agent to run that test. A dependency script may be part of the repository. It should not automatically become trusted. A third-party package may include a command that looks like a normal security check. The agent can read it, but execution should require a higher level of trust.
A risky pattern looks like this:
./security.sh
The command itself may look harmless, but the important question is where it came from. Was it explicitly requested by the user? Was it suggested by the model? Was it copied from a third-party README? Was it embedded inside an issue comment or dependency script? Those sources should not carry the same level of trust.
The Platform Lesson From Rogue Agent
Rogue Agent shows a different kind of risk. Instead of a local coding agent reviewing a repository, the issue is a cloud AI platform where conversational agents can run code blocks inside a managed execution environment.
The useful lesson for product and security teams is that chatbots are not just prompts and responses. They may also include runtime environments, service accounts, network egress, session variables, logs, shared infrastructure, and deployment permissions.
When a conversational agent can execute code or access customer data, it should be governed like a production application. That means least privilege, environment separation, audit logging, change review, and clear ownership. Treating it as only a “conversation configuration” is too weak for the actual risk.
The Shared Failure Mode
Friendly Fire and Rogue Agent are different incidents, but they point to the same failure mode: untrusted context receives operational power.
In the Friendly Fire scenario, untrusted repository content can influence an agent into running commands. In the Rogue Agent scenario, code execution inside an agent platform can affect shared runtime behavior and sensitive conversation data. MCP-related research has also raised a similar concern: the user-facing approval view and the metadata that the model actually receives may not always represent the same trust picture.
This is why security design cannot rely only on a careful model. A model can help reason about risk, but it should not approve its own risky tool calls immediately after reading untrusted instructions.
A safer architecture separates three layers:
- Model reasoning: the agent reads files, proposes actions, and explains risk.
- Policy enforcement: an external layer decides what actions are allowed.
- Runtime containment: a sandbox limits damage even if the wrong action is approved.
Recommended Architecture
- Isolate the Workspace
Third-party repositories, unknown issues, dependency audits, customer archives, and downloaded packages should be opened in disposable environments. A container or virtual machine is a good default.
The isolated environment should avoid mounting the user’s home directory, cloud credentials, package registry tokens, SSH keys, browser profiles, and production configuration. Source code can start as read-only. Write access should be granted only when the agent has produced a clear plan and the user has approved the scope.
Good defaults include:
- no personal home directory mount
- no long-lived cloud credentials
- no default package manager token
- no unrestricted outbound network access
- temporary package caches
- strict time and resource limits
- complete command logging
- Split the Agent Workflow Into Phases
Do not let reading, editing, and executing collapse into one automatic flow. Separate them.
Read phase: the agent can inspect files, identify risk, and produce a plan.
Patch phase: the agent can generate a diff or patch, ideally without running untrusted scripts.
Execution phase: the agent can run only approved commands within a narrow allowlist, with timeouts and resource limits.
If the proposed command came from a README, issue comment, dependency script, or external document, the approval UI should show that source clearly. A command suggested by the repository is not the same as a command explicitly requested by the user.
- Run Deterministic Scanning Before Model Judgment
AI agents are useful for explanation and triage, but deterministic tools should still run first where possible.
For example:
幾分鐘搭建展示站並增長獲客
輸入一句想法,We0 AI 即可生成展示站、頁面與 CMS。發佈上線後並幫你獲取客戶和流量。
- secret scanning before any command execution
- dependency vulnerability checks before install scripts
- binary detection before running repository tools
- static analysis before model interpretation
- lockfile diff review before package updates
- script lifecycle inspection before installing dependencies
The agent can summarize and prioritize the findings. It should not replace the baseline scanners.
Workflow for Third-Party Code
For untrusted repositories, the safest default is inspect first, do not execute.
- Clone the repository into a clean disposable environment.
- Disable credential helpers and avoid mounting host secrets.
- Use temporary package caches.
- Restrict access to parent directories.
- Let the agent read files and produce a risk plan.
- Review lifecycle scripts before installing dependencies.
- Ask the agent to explain the source and purpose of every command it wants to run.
- Run only approved commands with time, network, and filesystem limits.
- Bring back only reviewed artifacts, such as patches, reports, and reproduction notes.
- Do not bring back package caches, generated binaries, shell history, or runtime state from the sandbox.
A useful rule is simple: the less you trust the input, the less authority the agent should receive.
How Product Teams Should Design AI Agent Permissions
A single “safe mode” toggle is not enough. Real products need capability-level permissions.
A better permission model treats each capability separately:
| Capability | Recommended Default | Why It Matters |
|---|---|---|
| Read files | Allowed in scoped workspace | Agents need context, but not the entire machine. |
| Write patches | Allowed after plan review | Writing code is safer than executing code. |
| Run tests | Allowlist only | Test commands can invoke arbitrary scripts. |
| Install dependencies | Approval required | Package lifecycle scripts are a major risk surface. |
| Network access | Deny by default for untrusted work | Prevents exfiltration and remote payload fetches. |
| Access secrets | Deny by default | Secrets should not be visible to untrusted tasks. |
| Create pull requests | Approval required | PRs can affect trusted repositories and CI systems. |
| Deploy | Manual approval required | Deployment is a production-impacting action. |
Approval screens should show not only the command, but also its origin. A command from user intent, model inference, README instructions, CI configuration, and external issue comments should be labeled differently.
What This Means for NxCode Workflows
NxCode users often want agents to handle real development work: read code, update files, run checks, generate deployment artifacts, and produce documentation. Those abilities are valuable, but only when permission boundaries are clear.
A practical approach is to classify tasks into three groups:
- Low-risk work in trusted repositories
Examples include formatting, documentation updates, small UI changes, and test suggestions. These can use higher automation when the repository and environment are trusted. - Investigation on untrusted inputs
Examples include unknown repositories, dependency updates, external issue reports, and customer-uploaded archives. These should run in disposable, restricted environments. - Production-impacting operations
Examples include deployment, database migrations, secret rotation, infrastructure changes, and CI/CD permission updates. These require human approval and strong evidence logs.
This design does not remove the speed advantage of AI coding agents. It keeps the agent fast where the risk is low, and forces more structure where the blast radius is high.
Source Notes
- Original language: Chinese.
- Output language: English.
- Image handling: the source page exposes a generic blog card image and NxCode logo, but no unique body screenshot, workflow diagram, or result image that is strongly required for the article body. These generic/navigation images were not inserted into the Markdown body.
- Advertising/navigation handling: product navigation, footer links, promotional CTA blocks, and unrelated site modules were excluded.
- Copyright note: the final article is an English rewritten and reorganized version for publishing, not a verbatim copy of the original page.
FAQ
What is Friendly Fire in AI coding agent security?
Friendly Fire refers to a risk pattern where an AI agent used for defensive work is influenced by untrusted codebase content. The agent may read a third-party repository and treat instructions inside documentation or scripts as safe operational guidance.
What is Rogue Agent?
Rogue Agent is a reported Dialogflow CX security issue involving code execution inside agent workflows. Its broader lesson is that AI chatbots with code execution, session access, and cloud runtime privileges must be treated like production software, not just conversation scripts.
Why are AI coding agents vulnerable to prompt injection?
AI coding agents often read untrusted files and then use tools based on what they learned. If a repository, issue, or document contains hidden instructions, the agent may confuse untrusted content with trusted user intent.
Is sandboxing enough to secure AI coding agents?
Sandboxing is important, but it should not be the only defense. A safe setup also needs permission boundaries, network restrictions, secret isolation, deterministic scanning, command provenance, and audit logs.
Should AI agents run commands from README files?
Not automatically. README commands can be useful documentation, but they come from the repository being inspected. For untrusted projects, the agent should explain the command source and risk before any execution is approved.
How should teams handle third-party repositories with AI agents?
Use a disposable environment, avoid mounting secrets, restrict network access, run static checks first, and only bring back reviewed patches or reports. Do not treat sandbox state or generated artifacts as trusted by default.
What permissions should AI coding products expose?
Products should expose granular controls for reading files, writing patches, running tests, installing dependencies, using the network, accessing secrets, creating pull requests, and deploying. Each capability should have its own scope, budget, logs, and approval rules.
Related Tools
- Claude Code: Anthropic’s agentic coding tool for reading, editing, and working with codebases.
- OpenAI Codex: OpenAI’s coding agent platform with sandboxing and approval concepts.
- Google Dialogflow CX: Google Cloud’s conversational agent platform, including playbooks and code block capabilities.
- Docker: A common way to create disposable development and testing environments.
- Semgrep: A static analysis tool that can scan source code before agent-driven execution.
- GitHub CodeQL: A semantic code analysis engine useful for security review workflows.
Related Links
- AI Now Friendly Fire Research: Research brief on defensive AI agents and remote code execution risk.
- Varonis Rogue Agent Disclosure: Technical write-up on the Dialogflow CX Rogue Agent vulnerability.
- Claude Code Security Documentation: Anthropic’s official security guidance for Claude Code.
- Claude Code Auto Mode: Anthropic’s explanation of Auto Mode and permission decisions in Claude Code.
- OpenAI Codex Sandbox Documentation: Official explanation of how Codex uses sandbox boundaries.
- OpenAI Codex Auto-review: Official documentation for Codex Auto-review behavior.
- Dialogflow CX Code Blocks: Google Cloud documentation for Python code blocks in Dialogflow CX playbooks.
Summary
Friendly Fire and Rogue Agent show that AI agent security is not only a model-alignment problem. The practical boundary is the runtime: files, commands, network access, secrets, execution environments, and auditability.
Teams using AI coding agents should treat untrusted repositories and external context as untrusted input, even when the task is defensive. The agent can help inspect and explain, but execution should be controlled by sandboxing, policy, scanners, and explicit approvals.
The safest pattern is simple: let agents reason broadly, but grant operational authority narrowly.



