Vibe Coding
Pattern: Repo-Local Config Auto-Load Is the New RCE Class — 'Workspace Trust' Standards Are Forming
The Amazon Q flaw (auto-executing a workspace's MCP config) crystallized a broader gap: coding agents that silently read repo-local config files — MCP manifests, rules, hooks — treat cloning a repo as granting code execution. The response is converging into a workspace-trust discipline: the NSA's May guidance to treat every automated action as high-risk, and the MCP spec pulling authorization toward OAuth/OIDC. Practical rule: never let an agent load repo-scoped config from an untrusted checkout without an explicit trust gate.
↳ Follow the thread