AI Post

AI coding agents blindly follow instructions in repo context files. Attackers will use this. Coding agents like Claude Code and Codex reliably follow instructions placed in http://AGENTS.md and http://CLAUDE.md files. When a context file says "use this tool," the agent uses it. When it says "run this command," the agent runs it. Tool usage jumps from near-zero to multiple calls per task just because the context file mentions a tool by name. Now think about what this means from an attacker's perspective. 60,000+ public repos already contain these files. A poisoned http://AGENTS.md in a compromised repo can steer your agent to traverse specific directories, run specific commands and execute specific tools. No questions asked. This is prompt injection in your software supply chain. The practical takeaway: skip auto-generated context files for now. If you write one manually, keep it minimal. Only include what the agent can't figure out on its own, like specific tooling requirements.