{"id":3252,"date":"2026-05-13T16:56:17","date_gmt":"2026-05-13T09:56:17","guid":{"rendered":"https:\/\/daiilynews.cu.ma\/every-ai-coding-assistant-is-shipping-the-same-security-bugs\/"},"modified":"2026-05-13T16:56:17","modified_gmt":"2026-05-13T09:56:17","slug":"every-ai-coding-assistant-is-shipping-the-same-security-bugs","status":"publish","type":"post","link":"https:\/\/daiilynews.cu.ma\/?p=3252","title":{"rendered":"Every AI coding assistant is shipping the same security bugs."},"content":{"rendered":"<p> <br \/>\n<br \/>\n                *Not a promo.. I mean why would anyone promote something free, actually looking to get some contributors to help us seal sone holes of ai-coded products and encourage founders of ai-written products to respect security and privacy.*<\/p>\n<p>So, here it goes.. Nowadays many of us are building with Claude Code, Copilot, Cursor, Codex, Gemini, or any AI coding assistant, this is worth running against your project. &#8211; To be honest, I did think of building a tool around this, but it doesn&#8217;t sound nice to monetize on vulnerabilities for me, nor do I see much logic having a &#8216;blackbox&#8217; that allegedly scans your projects. We&#8217;re talking about security here, so IMO such things should be open source and allow contributions.<\/p>\n<p>And of course &#8211; my good friend AI helped me speed up the shipment of this repo \ud83d\ude42<\/p>\n<p>  Some of most common things that appear :<\/p>\n<p>JWT secrets set to &#8220;secret&#8221; or &#8220;changeme&#8221;<\/p>\n<p>API keys in NEXT_PUBLIC_ env vars, fully exposed to the browser<br \/>\nUser input going directly into system prompts via string interpolation<br \/>\nVector databases using one shared namespace for all users \u2014 any user&#8217;s RAG query can<br \/>\nsurface another user&#8217;s documents<br \/>\nAgents handed child_process access with no scope restrictions<\/p>\n<p>These aren&#8217;t obscure edge cases, this is how most of AI-generated code comes out, if you allow it to produce HUGE chunks instead of targeted and controlled ai-coding. Even knowing tons about security and vulnerabilities, having AI write code might still expose you to some common cases. <\/p>\n<p>  The problem with existing references<\/p>\n<p>OWASP, NIST, and CWE are good. They were written for a world where developers wrote most of their code by hand. They don&#8217;t cover MCP tool poisoning, cross-agent prompt injection, or what happens when your agent&#8217;s long-term memory accepts unsanitized writes. Ok, that&#8217;s not entirely true &#8211; today AI-generated code is allover the place, so  we see more and more tools to review the code, etc, but many are paid and\/or complicated which is an entry barrier for a vibe coder.<\/p>\n<p>  What I and few AIs shipped<\/p>\n<p>A 258-item checklist across 17 categories, with a detection method for every item: static grep or AST pattern, runtime test, or config inspection. Severity rated. 33 items in Category 6 specifically cover LLM integration vulnerabilities that don&#8217;t appear elsewhere.<\/p>\n<p>More usefully: a companion prompt.md that turns the full checklist into a structured codebase scan you can run in one command.<\/p>\n<p>  Running it<\/p>\n<p>From your project root, with Claude Code installed:<\/p>\n<p>claude &#8220;$(curl -s https:\/\/raw.githubusercontent.com\/a-leks\/genai-app-security-checklist\/main\/prompt.md)&#8221;<\/p>\n<p>    Enter fullscreen mode<\/p>\n<p>    Exit fullscreen mode<\/p>\n<p>With Gemini CLI:<\/p>\n<p>gemini &#8220;$(curl -s https:\/\/raw.githubusercontent.com\/a-leks\/genai-app-security-checklist\/main\/prompt.md)&#8221;<\/p>\n<p>    Enter fullscreen mode<\/p>\n<p>    Exit fullscreen mode<\/p>\n<p>The model reads your codebase, runs all 258 checks, and returns a markdown report with severity, file path, line number, code snippet, and a specific remediation for each finding.<\/p>\n<p>  What the output looks like<\/p>\n<p>### (6.1) Prompt injection \u2014 user input in system prompt<br \/>\n&#8211; Severity: Critical<br \/>\n&#8211; File: app\/api\/chat\/route.ts<br \/>\n&#8211; Line: 34<br \/>\n&#8211; Snippet:<br \/>\n    const systemPrompt = `You are a helpful assistant. User context: ${req.body.userBio}`<br \/>\n&#8211; Remediation: Move user-supplied content to the user message role, never system.<br \/>\n  Strip prompt control characters before passing any user string to the model.<\/p>\n<p>    Enter fullscreen mode<\/p>\n<p>    Exit fullscreen mode<\/p>\n<p>  The LLM-specific items worth knowing<\/p>\n<p>6.26 \u2014 MCP tool poisoning. If your agent uses third-party MCP servers, tool results from those servers enter the agent&#8217;s context as trusted input. An attacker who controls one of those servers can inject instructions through it.<\/p>\n<p>6.27 \u2014 Agent memory poisoning. Whatever your agent writes to long-term memory gets read back in future sessions. If malicious content reaches that memory store, it executes next time the agent retrieves it.<\/p>\n<p>6.30 \u2014 Cross-agent prompt injection. In multi-agent systems, output from Agent A becomes input to Agent B. If an attacker can influence Agent A&#8217;s output, Agent B processes the attack payload without knowing its origin is untrusted.<\/p>\n<p>  Where to find it<\/p>\n<p>https:\/\/github.com\/a-leks\/genai-app-security-checklist<\/p>\n<p>Apache 2.0. Contributions welcome \u2014 especially new LLM attack patterns with detection methods and real-world references.<\/p>\n<p><br \/>\n<br \/><a href=\"https:\/\/dev.to\/a-leks\/every-ai-coding-assistant-is-shipping-the-same-security-bugs-25oi\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>*Not a promo.. I mean why would anyone promote something free, actually looking to get some contributors to help us seal sone holes of ai-coded products and encourage founders of ai-written products to respect security and privacy.* So, here it goes.. Nowadays many of us are building with Claude Code, Copilot, Cursor, Codex, Gemini, or [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3253,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[676],"tags":[835,761,765,762,763,764,860,1086,760,824],"class_list":["post-3252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-ai","tag-ai","tag-coding","tag-community","tag-development","tag-engineering","tag-inclusive","tag-programming","tag-security","tag-software","tag-webdev"],"_links":{"self":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts\/3252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3252"}],"version-history":[{"count":0,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/posts\/3252\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=\/wp\/v2\/media\/3253"}],"wp:attachment":[{"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daiilynews.cu.ma\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}