Evidence themes
The incidents below cluster around four recurring themes:- Repository files can become execution paths.
- Consent and review controls can be bypassed or weakened.
- MCP and tool metadata can carry malicious instructions.
- Marketplace and extension supply chains can be compromised.
Incident groups
Project-file-driven command execution and secret exposure
Project-file-driven command execution and secret exposure
Public examples: Check Point research on Claude Code and Codex CLI CVEs — CVE-2025-59536, CVE-2026-21852, CVE-2025-61260.What happened: Repository-controlled configuration files caused AI coding tools to execute commands or expose credentials without explicit user awareness. In several cases the behavior was described as “documented” yet was practically invisible to users who had not read deep configuration references.Why it matters: Trusted repository files can trigger command paths users do not expect. When a project can place or modify MCP server definitions, hook scripts, or agent instruction files, those files become an attacker-controlled execution surface.CodeGate capability families:
- Cross-tool discovery (Layer 1)
- Command-surface detection:
COMMAND_EXEC,GIT_HOOKfindings (Layer 2) - Environment override detection:
ENV_OVERRIDEfindings (Layer 2) - Wrapper recheck:
codegate runblocks launch if any config file changed since the scan
Consent bypass and unsafe auto-approval
Consent bypass and unsafe auto-approval
Public examples: Cursor MCPoison research; AWS bulletin patterns on MCP approval flows.What happened: AI coding tool approval dialogs and MCP consent flows were found to be bypassable or reducible to “always allow” behavior through configuration or crafted prompts. Users who believed they were approving individual tool calls were in practice granting persistent approval.Why it matters: When consent mechanisms are weakened, the user’s ability to review what an agent is about to do is removed. Users believe they are in control; in practice, execution has been pre-authorized.CodeGate capability families:
- Consent-bypass detection:
CONSENT_BYPASSfindings (Layer 2) - Policy controls:
severity_threshold,blocked_commands,trusted_directoriesconfig - Warning/threshold gating:
codegate runrequires confirmation for warning-level findings
MCP poisoning and cross-tool toxic flows
MCP poisoning and cross-tool toxic flows
Public examples: Invariant Labs tool-poisoning research; toxic-flow analyses across multi-agent setups.What happened: Tool descriptions returned by MCP servers were found to contain hidden instructions that manipulated downstream agent behavior. In multi-agent setups, a compromised upstream tool could influence the behavior of other agents in the pipeline without the user being aware.Why it matters: Tool descriptions and upstream metadata can manipulate downstream agent behavior. The attack surface is not just what the user types—it includes every tool description the agent reads.CodeGate capability families:
- Deep scan (Layer 3, opt-in): fetches remote tool descriptions for analysis
- Tool-description analysis: detects hidden instructions in MCP tool metadata
TOXIC_FLOWfindings: flags cross-tool manipulation patterns- Rug-pull tracking:
NEW_SERVERandCONFIG_CHANGEfindings detect server changes between scans
Malicious skill and rule content in public ecosystems
Malicious skill and rule content in public ecosystems
Public examples: Snyk ToxicSkills campaign and related disclosures.What happened: Publicly available skill and rule markdown files were found to contain high-impact payloads embedded in normal-looking instruction text. Users who installed these skills exposed their agents to adversarial behavioral instructions without any visible warning.Why it matters: Instruction files can hide high-impact payloads in normal markdown. Content that appears to be documentation to a human reader functions as an adversarial prompt when consumed by an agent.CodeGate capability families:
- Rule/skill maliciousness detection:
RULE_INJECTIONfindings (Layer 2) - Unicode analysis: detects hidden characters used for visual spoofing (bidirectional override, zero-width joiners)
- Local text analysis (Layer 3, opt-in): text-only instruction-file analysis via supported meta-agent
- Suspicious pattern heuristics across discovered markdown surfaces
Compromised marketplace and extension integrity
Compromised marketplace and extension integrity
Public examples: Open VSX advisories; JFrog research on Amazon Q extension compromise.What happened: Extensions in established marketplaces were found to have been modified or replaced with versions containing malicious behavior. The trust signal users rely on—“this is in the official marketplace”—was not sufficient to guarantee integrity.Why it matters: Supply-chain trust can fail even in established ecosystems. Installation from a known source does not guarantee the installed artifact is safe.CodeGate capability families:
- Plugin and extension provenance checks (Layer 1/2)
- Signature and attestation policy controls
- Transparency checks for extension manifests
Scope and limits
CodeGate is an awareness and decision-support tool.- It is not a complete prevention system.
- Detection quality depends on known patterns, configuration coverage, and available context.
- New attack techniques can appear before signatures and heuristics are updated.
- Deep analysis is opt-in and should be used with clear operator intent.