# AI Now Finds Coding-Agent Review Hijack Risk

> Source: <https://letsdatascience.com/news/ai-now-finds-coding-agent-review-hijack-risk-329357b6>
> Published: 2026-07-09 17:03:41+00:00

# AI Now Finds Coding-Agent Review Hijack Risk

Security review agents create a new failure mode when they can run commands while inspecting untrusted code. AI Now Institute published Friendly Fire on July 8, 2026, a proof-of-concept showing that autonomous coding agents can be manipulated during defensive review workflows. The research says the pattern affects Anthropic Claude Code and OpenAI Codex when they are configured to approve their own commands in autonomous modes. The practical risk is not limited to one prompt or repository: command-capable agents combine code reading, shell execution, and trust decisions in the same loop. Teams should isolate untrusted code, avoid autonomous approvals for third-party reviews, restrict credentials, and treat coding-agent sandboxes as production security boundaries.

### Why it matters

AI coding agents are moving from suggestion tools into systems that inspect repositories, run tests, execute shell commands, and propose security fixes. That creates a sharp risk boundary: if the agent is asked to review hostile or untrusted code, the review workflow itself can become an execution surface. This is especially relevant for teams using agents to triage open-source dependencies, bug bounty submissions, vendor packages, or unfamiliar customer code.

### What happened

AI Now Institute published Friendly Fire on July 8, 2026. The brief describes a proof-of-concept in which autonomous coding agents used for defensive review can be manipulated into host-side code execution while inspecting an untrusted repository. The affected pattern is tied to command-capable agents that automatically approve commands they classify as safe. AI Now names Anthropic Claude Code and OpenAI Codex in those autonomous review modes. The Hacker News covered the finding on July 9 and framed the issue as a case where tools meant to inspect malicious code can become the way that code reaches the host.

### Practitioner impact

The safe operating response is straightforward and does not require reproducing the exploit. Keep command-capable agents away from untrusted code unless they are inside isolated, disposable environments. Disable autonomous approvals for third-party review tasks, scope credentials tightly, log all tool calls, and require human review before commands touch the filesystem, network, or secrets. Agent security now has to include workflow design, not only model-level refusal behavior.

## Key Points

- 1AI Now showed autonomous coding agents can turn security review workflows into host-side code execution risk.
- 2The affected pattern involves command-capable agents reviewing untrusted repositories while auto-approving commands they classify as safe.
- 3Teams should isolate untrusted code, disable autonomous approvals, and treat agent review sandboxes as production security boundaries.

## Scoring Rationale

The finding is notable because it affects high-adoption coding-agent workflows and exposes a direct execution risk when agents inspect untrusted code. It is below critical because it is framed as a proof of concept and the practical mitigation is workflow isolation and approval control.

## Sources

Public references used for this report.

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

[Try 250 free problems](/problems)
