One Click, Full Access: How AI Coding Tools Inherited a Trust Problem

The new supply-chain risk in AI coding is not hidden in the model. It is hiding behind the "trust this folder" prompt.

Security firm Adversa AI published a proof-of-concept this week showing that a malicious repository can make major AI coding CLIs spin up attacker-controlled MCP servers after the developer accepts a project trust dialog. The affected tools in the report are Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. In the normal desktop path, one Enter key can be enough. In CI, the same class of attack can run with no prompt at all.

That changes what "clone this repo" means. A repository can include project settings such as .mcp.json and .claude/settings.json that tell the coding agent to start a local server. Once started, that server is not a harmless chat extension. It is an OS process running with the developer's privileges, with access to source code, environment variables, credentials, and the network. SecurityWeek reported that the payload can be embedded directly inside .mcp.json, which makes the dangerous behavior easy to miss in ordinary static scans.

The sharpest part of Adversa's finding is the consent gap. Claude Code's current dialog asks: "Quick safety check: Is this a project you created or one you trust?" It does not enumerate the MCP servers that will start. It does not say that project settings can launch executables. And it does not offer a way to trust the folder while refusing project-defined servers.

Adversa says older Claude Code versions did provide a more explicit MCP warning and an option to proceed with MCP disabled. The Register reported that the current pattern is the third Claude Code vulnerability in six months tied to project-scoped settings as an injection vector. Anthropic's position, as reported by SecurityWeek, is that clicking yes to the trust prompt means the user has consented to the project's contents. Adversa argues that this is not informed consent if the prompt never says what will execute.

The CI/CD path is worse. When Claude Code runs headless in automated pipelines, including common pull-request workflows, the trust dialog does not render. That turns the attack from a one-click developer compromise into a zero-click build-runner compromise. The target then becomes whatever the runner can see: deploy keys, signing credentials, environment variables, source code, and release infrastructure.

This is why TrustFall is a supply-chain story, not just an endpoint-security story. Attackers do not need to compromise a package registry first. They can publish a useful-looking repo, plugin, sample app, or internal tooling template and wait for an agentic coding workflow to grant execution rights while the developer thinks they are only approving a folder.

The mitigation Adversa recommends is structural: keep settings such as enableAllProjectMcpServers, enabledMcpjsonServers, and broad permissions.allow out of repository-controlled scopes. Put execution approval in a user or organization scope that the repo cannot modify. For CI, do not run headless agentic coding tools against arbitrary unreviewed pull-request branches with secrets available.

The design mistake is bigger than one vendor. AI coding tools imported the old developer habit of trusting a project directory, then added agents that can execute project-defined tools before the developer has read the code. The prompt still talks like a folder picker. The runtime behaves like a privilege boundary.