Evidence for Developers

AI security for developers and software teams.

Technical AI security guidance for developers using assistants and agents around repositories, commands, secrets, dependencies, and production systems.

Developer workflows join high-value source code with tools that can retrieve context, propose changes, run commands, and cross trust boundaries quickly.

CapitalGuard Security Research · Updated July 14, 2026 · Primary sources only

10

AI surfaces

10

Exposure types

100

Evidence guides

connected assistant

ChatGPT

Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.

Private file access

ChatGPT Private file access for Developers

Uploads, projects, synced apps, and file-search connections can make selected documents available as context.

Open evidence guide

Credential exposure

ChatGPT Credential exposure for Developers

Credentials can arrive through pasted configuration, uploaded source files, screenshots, or connected Drive content.

Open evidence guide

Client confidentiality

ChatGPT Client confidentiality for Developers

A personal ChatGPT account can mix client prompts, files, memories, and app context unless the user separates work deliberately.

Open evidence guide

Prompt injection

ChatGPT Prompt injection for Developers

Retrieved webpages, uploaded documents, and app results can contain instructions that should be treated as untrusted content.

Open evidence guide

Connector permissions

ChatGPT Connector permissions for Developers

ChatGPT apps may search connected sources, sync content, or perform write actions within granted scopes.

Open evidence guide

Command execution

ChatGPT Command execution for Developers

Standard conversation is text-only, but custom apps, workspace agents, or connected action tools can change external systems when enabled.

Open evidence guide

Unsafe generated code

ChatGPT Unsafe generated code for Developers

ChatGPT may suggest code, dependencies, shell commands, and configuration that still require independent verification.

Open evidence guide

History and sharing

ChatGPT History and sharing for Developers

History, memories, projects, Temporary Chats, and shared links follow different controls and should be reviewed separately.

Open evidence guide

Accidental oversharing

ChatGPT Accidental oversharing for Developers

Large pastes, screenshots, uploads, and connected-app retrieval can include more information than the visible question requires.

Open evidence guide

Autonomous actions

ChatGPT Autonomous actions for Developers

Apps can be configured to read automatically or take actions with different approval levels, including elevated persistent choices where available.

Open evidence guide

connected assistant

Claude

Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.

Private file access

Claude Private file access for Developers

Files, project knowledge, Google Workspace connections, and other connectors can make selected work retrievable in Claude.

Open evidence guide

Credential exposure

Claude Credential exposure for Developers

Secrets can enter through code uploads, pasted logs, project knowledge, Drive documents, or connector results.

Open evidence guide

Client confidentiality

Claude Client confidentiality for Developers

Client files can persist in conversations or project knowledge and may be retrievable through connectors inherited from the user account.

Open evidence guide

Prompt injection

Claude Prompt injection for Developers

Documents, webpages, connector output, and MCP resources may contain instructions that conflict with the user’s goal.

Open evidence guide

Connector permissions

Claude Connector permissions for Developers

Claude connectors can inherit access from services such as Drive, Slack, or Linear and may expose both read and write tools.

Open evidence guide

Command execution

Claude Command execution for Developers

Ordinary Claude chat is not a local shell, but connectors and computer or coding surfaces may expose action tools.

Open evidence guide

Unsafe generated code

Claude Unsafe generated code for Developers

Claude can generate code and installation instructions that may be plausible but incomplete, outdated, or unsafe for the user’s environment.

Open evidence guide

History and sharing

Claude History and sharing for Developers

Claude chats are private by default but can be shared as snapshots; projects and uploaded files have separate visibility rules.

Open evidence guide

Accidental oversharing

Claude Accidental oversharing for Developers

Artifacts, screenshots, long documents, and connector retrieval can surface details beyond the line the user intended to discuss.

Open evidence guide

Autonomous actions

Claude Autonomous actions for Developers

Connectors may retrieve data or take actions such as creating issues, sending messages, or changing records when the tool is permitted.

Open evidence guide

connected assistant

Gemini

Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.

Private file access

Gemini Private file access for Developers

Gemini can receive files, screens, photos, page context, and information from connected apps when those features are used.

Open evidence guide

Credential exposure

Gemini Credential exposure for Developers

Tokens or passwords can appear in uploaded screenshots, browser page context, code files, Drive content, or copied logs.

Open evidence guide

Client confidentiality

Gemini Client confidentiality for Developers

Client content may enter through uploads, connected Google services, live screen sharing, or a work account whose policies differ from a personal account.

Open evidence guide

Prompt injection

Gemini Prompt injection for Developers

Web content, connected-app results, emails, documents, and shared screens can contain text that should not become trusted instructions.

Open evidence guide

Connector permissions

Gemini Connector permissions for Developers

Connected Google and third-party apps can expose account information according to their permissions and retain shared data under their own policies.

Open evidence guide

Command execution

Gemini Command execution for Developers

Consumer Gemini chat is not automatically a shell, but device actions, extensions, or connected services may perform operations.

Open evidence guide

Unsafe generated code

Gemini Unsafe generated code for Developers

Gemini-generated code or commands may omit environment-specific constraints or suggest dependencies that need verification.

Open evidence guide

History and sharing

Gemini History and sharing for Developers

Gemini Apps Activity, public links, saved information, connected-service data, and reviewed content follow different retention rules.

Open evidence guide

Accidental oversharing

Gemini Accidental oversharing for Developers

Live screen, camera, audio, uploaded files, and browser page context can capture background information outside the intended question.

Open evidence guide

Autonomous actions

Gemini Autonomous actions for Developers

Gemini may use connected apps or device-assistant capabilities to take actions based on available permissions.

Open evidence guide

connected assistant

Microsoft Copilot

The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.

Private file access

Microsoft Copilot Private file access for Developers

Copilot may use uploaded files, the active Microsoft 365 document, recent files, or connected-service content depending on the surface.

Open evidence guide

Credential exposure

Microsoft Copilot Credential exposure for Developers

Credentials may appear in uploaded files, screenshots, recent documents, synced browser data, code, or copied support logs.

Open evidence guide

Client confidentiality

Microsoft Copilot Client confidentiality for Developers

Client data can enter a consumer Copilot chat or a managed Microsoft 365 context with different controls and retention.

Open evidence guide

Prompt injection

Microsoft Copilot Prompt injection for Developers

Connected service results, documents, email, webpages, and shared files may contain untrusted instructions.

Open evidence guide

Connector permissions

Microsoft Copilot Connector permissions for Developers

Connections can make files, email, contacts, calendar events, and other service data retrievable through Copilot.

Open evidence guide

Command execution

Microsoft Copilot Command execution for Developers

Most consumer interactions are not a general shell, but connected services and Microsoft 365 features can create or modify external content.

Open evidence guide

Unsafe generated code

Microsoft Copilot Unsafe generated code for Developers

Copilot can generate code, formulas, scripts, and commands whose safety depends on the user’s environment and review.

Open evidence guide

History and sharing

Microsoft Copilot History and sharing for Developers

Consumer history, Microsoft 365 activity, uploaded files, and organizational records may be controlled in different locations.

Open evidence guide

Accidental oversharing

Microsoft Copilot Accidental oversharing for Developers

Recent files, full documents, screenshots, and connected services can surface more context than a short prompt suggests.

Open evidence guide

Autonomous actions

Microsoft Copilot Autonomous actions for Developers

Connected Copilot experiences may draft, create, change, or communicate within Microsoft services when the feature permits.

Open evidence guide

connected assistant

Perplexity

The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.

Private file access

Perplexity Private file access for Developers

Perplexity can work with session uploads, project files, personal repositories, organizational files, and connected storage depending on plan.

Open evidence guide

Credential exposure

Perplexity Credential exposure for Developers

Secrets can enter through uploaded code, configuration, screenshots, search queries, or files synchronized from storage.

Open evidence guide

Client confidentiality

Perplexity Client confidentiality for Developers

Client files may persist in projects or repositories, and sharing can expose responses that reference connected material.

Open evidence guide

Prompt injection

Perplexity Prompt injection for Developers

Search results, webpages, uploaded documents, and connected files can carry instructions that should not control the assistant.

Open evidence guide

Connector permissions

Perplexity Connector permissions for Developers

Enterprise connectors can include cloud storage and knowledge sources whose permissions determine what files can be searched.

Open evidence guide

Command execution

Perplexity Command execution for Developers

Perplexity search and chat are not a general local shell, although generated commands or connected capabilities can still influence external actions.

Open evidence guide

Unsafe generated code

Perplexity Unsafe generated code for Developers

Generated code and cited technical answers can still contain vulnerable patterns, obsolete APIs, or unsafe commands.

Open evidence guide

History and sharing

Perplexity History and sharing for Developers

Sessions, projects, uploaded files, Pages, and Enterprise repositories have different retention and visibility rules.

Open evidence guide

Accidental oversharing

Perplexity Accidental oversharing for Developers

Search queries and uploads can include confidential terms, full documents, account details, or source material beyond the research need.

Open evidence guide

Autonomous actions

Perplexity Autonomous actions for Developers

Search and answer generation are usually advisory, but enterprise connectors and future action surfaces should be reviewed for actual write authority.

Open evidence guide

coding assistant

GitHub Copilot

The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.

Private file access

GitHub Copilot Private file access for Developers

Editor context, local workspaces, and repository indexes can expose more than the file currently visible to the developer.

Open evidence guide

Credential exposure

GitHub Copilot Credential exposure for Developers

Secrets can appear in repository history, local untracked files, configuration, actions logs, test fixtures, and editor context.

Open evidence guide

Client confidentiality

GitHub Copilot Client confidentiality for Developers

Agency and freelancer workspaces can mix multiple client repositories and local folders inside one editor context.

Open evidence guide

Prompt injection

GitHub Copilot Prompt injection for Developers

Issues, pull requests, comments, documentation, code, and repository instructions can contain untrusted text that influences an agent.

Open evidence guide

Connector permissions

GitHub Copilot Connector permissions for Developers

Copilot agents operate within GitHub permissions and may interact with repositories, issues, pull requests, and workflows.

Open evidence guide

Command execution

GitHub Copilot Command execution for Developers

Agent workflows may run tools or propose changes beyond ordinary inline completion, depending on the product surface.

Open evidence guide

Unsafe generated code

GitHub Copilot Unsafe generated code for Developers

Copilot suggestions and agent pull requests can introduce vulnerable logic, unsafe dependencies, or incomplete tests.

Open evidence guide

History and sharing

GitHub Copilot History and sharing for Developers

Chat logs, pull requests, issues, comments, and agent artifacts may preserve sensitive context in different GitHub surfaces.

Open evidence guide

Accidental oversharing

GitHub Copilot Accidental oversharing for Developers

Opening a broad workspace or attaching repository context can expose unrelated code, comments, logs, and configuration.

Open evidence guide

Autonomous actions

GitHub Copilot Autonomous actions for Developers

Copilot agents can create changes and workflow artifacts that move through GitHub’s collaboration system.

Open evidence guide

coding agent

Cursor

Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.

Private file access

Cursor Private file access for Developers

Cursor can use open files, workspace context, codebase indexes, agent tools, and local project data to answer and act.

Open evidence guide

Credential exposure

Cursor Credential exposure for Developers

Environment files, local configuration, terminal output, logs, and indexed code can place credentials near AI context.

Open evidence guide

Client confidentiality

Cursor Client confidentiality for Developers

A single Cursor workspace can contain client code, local files, indexes, chat context, and model-provider requests.

Open evidence guide

Prompt injection

Cursor Prompt injection for Developers

Repository instructions, documentation, issues, web results, and MCP tool output can influence Cursor agents.

Open evidence guide

Connector permissions

Cursor Connector permissions for Developers

MCP servers, extensions, model providers, and web search widen the systems and data Cursor can interact with.

Open evidence guide

Command execution

Cursor Command execution for Developers

Cursor agents can propose or execute terminal commands with the user’s local environment and project context.

Open evidence guide

Unsafe generated code

Cursor Unsafe generated code for Developers

Agent-generated multi-file changes can introduce insecure logic, dependencies, workflows, or configuration at high speed.

Open evidence guide

History and sharing

Cursor History and sharing for Developers

Chat history, memories, indexes, code metadata, and model-provider handling depend on settings and feature use.

Open evidence guide

Accidental oversharing

Cursor Accidental oversharing for Developers

A broad workspace, selected files, terminal output, and indexed code can provide more context than a short question suggests.

Open evidence guide

Autonomous actions

Cursor Autonomous actions for Developers

Background or agent features can make edits and run tools with less continuous attention than inline assistance.

Open evidence guide

coding agent

Claude Code

Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.

Private file access

Claude Code Private file access for Developers

Claude Code can read project files and, depending on permissions, may read beyond the working directory even when writes are narrower.

Open evidence guide

Credential exposure

Claude Code Credential exposure for Developers

Environment variables, .env files, shell credentials, SSH material, cloud configuration, logs, and MCP tokens can enter context.

Open evidence guide

Client confidentiality

Claude Code Client confidentiality for Developers

A local session can read client code and nearby files under the developer’s account, while account terms and API transport still matter.

Open evidence guide

Prompt injection

Claude Code Prompt injection for Developers

Repository files, web content, dependencies, issues, and MCP output may contain instructions that attempt to redirect the agent.

Open evidence guide

Connector permissions

Claude Code Connector permissions for Developers

MCP servers and hooks can expose local commands, files, APIs, tokens, and external services to the agent.

Open evidence guide

Command execution

Claude Code Command execution for Developers

Claude Code can execute Bash commands, and bypass or unsandboxed modes materially reduce protection.

Open evidence guide

Unsafe generated code

Claude Code Unsafe generated code for Developers

Claude Code can apply multi-file edits, install dependencies, run tests, and modify configuration within its granted scope.

Open evidence guide

History and sharing

Claude Code History and sharing for Developers

Local and cloud sessions, account privacy choices, logs, and exported output may preserve code context in different places.

Open evidence guide

Accidental oversharing

Claude Code Accidental oversharing for Developers

Starting in a home or monorepo directory can expose far more readable context than the intended project.

Open evidence guide

Autonomous actions

Claude Code Autonomous actions for Developers

Non-interactive, auto, background, or bypass modes can continue work with fewer prompts inside the configured boundary.

Open evidence guide

coding agent

OpenAI Codex

Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.

Private file access

OpenAI Codex Private file access for Developers

Codex can read repository and workspace files within the environment supplied to the task, with scope varying by local or cloud setup.

Open evidence guide

Credential exposure

OpenAI Codex Credential exposure for Developers

Environment variables, repository config, shell output, cloud secrets, and local credential files can become reachable if included in scope.

Open evidence guide

Client confidentiality

OpenAI Codex Client confidentiality for Developers

Client repositories and files may be processed locally or through connected cloud environments under different account and access controls.

Open evidence guide

Prompt injection

OpenAI Codex Prompt injection for Developers

Repository instructions, issues, webpages, dependency content, plugins, and MCP output can attempt to influence agent behavior.

Open evidence guide

Connector permissions

OpenAI Codex Connector permissions for Developers

GitHub connections, plugins, MCP servers, and external tools can widen Codex access beyond the local repository.

Open evidence guide

Command execution

OpenAI Codex Command execution for Developers

Codex can run commands under the configured sandbox and approval policy, with escalation requiring explicit authorization.

Open evidence guide

Unsafe generated code

OpenAI Codex Unsafe generated code for Developers

Codex can patch code, run tests, and propose multi-file changes that still require repository-specific review.

Open evidence guide

History and sharing

OpenAI Codex History and sharing for Developers

Tasks, terminal output, patches, cloud runs, and exported artifacts may preserve code context beyond the immediate prompt.

Open evidence guide

Accidental oversharing

OpenAI Codex Accidental oversharing for Developers

A task rooted too high in the filesystem or connected to a broad repository set can expose unrelated context.

Open evidence guide

Autonomous actions

OpenAI Codex Autonomous actions for Developers

Long-running or cloud tasks can continue across multiple steps inside the permissions and integrations granted at launch.

Open evidence guide

connected assistant

MCP-Connected AI Assistants

MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.

Private file access

MCP-Connected AI Assistants Private file access for Developers

A local or remote MCP server can expose files, databases, knowledge bases, or APIs as resources and tools.

Open evidence guide

Credential exposure

MCP-Connected AI Assistants Credential exposure for Developers

MCP server configs, environment variables, OAuth tokens, local process credentials, logs, and tool results can expose secrets.

Open evidence guide

Client confidentiality

MCP-Connected AI Assistants Client confidentiality for Developers

An agency MCP setup can bridge one assistant to multiple client systems if servers, credentials, and sessions are reused.

Open evidence guide

Prompt injection

MCP-Connected AI Assistants Prompt injection for Developers

Tool descriptions, resource content, server responses, and resumed session events can carry malicious instructions.

Open evidence guide

Connector permissions

MCP-Connected AI Assistants Connector permissions for Developers

MCP authorization can bridge an AI client to broad third-party API scopes and downstream resources.

Open evidence guide

Command execution

MCP-Connected AI Assistants Command execution for Developers

Local stdio MCP servers run processes on the user’s machine and may inherit local filesystem and network privileges.

Open evidence guide

Unsafe generated code

MCP-Connected AI Assistants Unsafe generated code for Developers

MCP tools that generate, install, or execute code can combine model output with downstream system authority.

Open evidence guide

History and sharing

MCP-Connected AI Assistants History and sharing for Developers

Stateful MCP sessions, logs, resumed streams, tool results, and client histories can preserve sensitive data across requests.

Open evidence guide

Accidental oversharing

MCP-Connected AI Assistants Accidental oversharing for Developers

A broadly defined resource or tool can return entire records, directories, mailboxes, or databases when the task needs one field.

Open evidence guide

Autonomous actions

MCP-Connected AI Assistants Autonomous actions for Developers

An MCP client may chain multiple tools across systems, allowing one instruction to create side effects in several services.

Open evidence guide

The useful outcome

Make access explainable.

The team can reproduce what the tool accessed, separate read and write authority, protect secrets, and review consequential changes before execution.

Review CapitalGuard Licenses

How this collection is built

Every page combines one documented AI surface, one concrete exposure type, and one visible working context. A page is published only when it has a unique access scenario, a safe check, practical controls, and at least three primary references.

Read the publication method