Concrete, defanged examples of how agentic IDEs get compromised. Every payload here uses echo "demo:" instead of an actual destructive command β copy them, run them, see what the agent does.
The five categories
- Prompt Injection β hidden instructions in fetched content
- Untrusted Execution β auto-approved commands you didnβt read
- Secrets Leakage β
.envending up in vendor logs - Supply Chain β slopsquatting and Shai-Hulud-style worms
- MCP Poisoning β malicious tool output as injection vector
How to run
Open the sandbox/ folder directly in Kiro β itβs a complete vulnerable Express project with no .kiroignore, no hooks, no steering, and a poisoned README. See sandbox/DEMO.md for the prompts to try.
Then open the defenses sandbox and rerun the same prompts with the guardrails in place.