Are AI coding agents safe, or is prompt injection a real risk?

Why injection becomes code execution

A chatbot that gets injected says something wrong; a coding agent that gets injected can do something wrong, because it's wired to a shell, a package manager, and your credentials. The injected instruction arrives in the same context as yours and the model can't reliably tell them apart.

Why a better prompt won't save you

Telling the model to ignore injected commands is like telling a SQL query not to be injected. Adaptive attacks bypass prompt-level defenses well over 80% of the time. The boundary has to live in the system around the model, where it's enforced, not requested.

How we make agents safe in production

We scope the agent's own credentials (never a dev's god-key), sandbox its execution away from prod and secrets, gate the irreversible to a human, and audit every tool call — so when an injection lands, the blast radius is small and visible.

Straight answers.

Do allowlists stop prompt injection?

Not on their own. A 2026 CVE showed an allowlist being used to deliver the payload. An allowlist narrows what can run; it doesn't verify why it's running. Use it as one layer, not the defense.

Should we just not let agents run commands?

You can, but you lose most of the value. The better answer is least privilege plus a sandbox plus human gates, so the agent is productive and contained at the same time.

Is this only a risk for autonomous agents?

Any agent with tool access is exposed, autonomous or not. If it can read untrusted input and run a tool, an injection can chain the two. Treat tool access as the line that needs the controls.