Tagged: AIAgentLens

Two days ago we put a paste box on the open internet. Type a shell command, hit Evaluate, get a verdict — BLOCK, AUDIT, or ALLOW. Same on a second tab for MCP tool calls: tool name, JSON-style args, evaluate, verdict.

A real bypass, a new analyzer layer, and the design pattern behind it.

When the agent knows it's being watched — detecting eval-aware code patterns before they ship.

Last week I sat down to write a single rule — block an AI agent from reading ~/.cache/op/, the 1Password CLI v2 session cache. A junior security person would look at the ticket and think: "one file, one regex, an afternoon."

Seven days later I had shipped twenty.

AI coding agents are rewriting software faster than any human team could. Cursor, Windsurf, Claude Code, Gemini CLI — they ship features in minutes. But they also run shell commands, call MCP tools, and modify files with the same speed and less judgment than a human developer.

Anthropic just did something nobody expected. They built a model so good at finding security vulnerabilities that they're scared to release it publicly.

I've been building software for over 20 years. And I'll be honest — when the term "AI agent" started flooding my LinkedIn feed in 2023, I rolled my eyes. It felt like a rebranding of chatbots with better PR. Little could I have predicted its impact.

I run an AI security company. I'm supposed to tell you AI risk is manageable — that with the right governance framework and a good dashboard, you'll sleep fine.

I don't believe that anymore.

This post is about the files on your Mac that MCP servers can access — the ones most developers don't know are exposed — and what you can do about it.

The fastest way to wipe your laptop in 2026 is to ask an AI to refactor your repo. Not because the model is malicious, but because a single prompt injection, a poisoned MCP server, or a hallucinated shell command is all it takes to put rm -rf / one keystroke from your filesystem.

Vibe coding is real now. Developers are shipping entire services by describing what they want to Claude Code or Cursor. I've done it. You've probably done it. The output is surprisingly good.

Model Context Protocol has had a remarkable run. In under a year, it became the default way to wire AI agents to external tools — databases, APIs, file systems, cloud services, crypto wallets. Cursor, Windsurf, Claude Code, and most serious AI coding environments now ship with MCP support out of the box. The ecosystem is growing fast.

Which makes the next part worth paying attention to.

AI agents aren't experimental anymore. They write code, run shell commands, call external APIs, and orchestrate complex workflows — usually with the same OS privileges as the developer who launched them. That convenience is real. So is the risk.