AI security evidence library
100 precise checks for the AI tools people actually use.
Ten AI surfaces crossed with ten real exposure types. Every guide explains the boundary, warning signs, safe test, practical controls, and the point where a formal CapitalGuard baseline becomes useful.
Published by CapitalGuard Security Research · Updated July 13, 2026 · Primary sources only
10
AI surfaces
10
Exposure types
100
Evidence guides
connected assistant
ChatGPT
Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.
connected assistant
ChatGPT
Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.
Private file access
ChatGPT Private File Access: What to Check
Uploads, projects, synced apps, and file-search connections can make selected documents available as context.
Open evidence guideCredential exposure
ChatGPT API Key Exposure: Check Before You Share
Credentials can arrive through pasted configuration, uploaded source files, screenshots, or connected Drive content.
Open evidence guideClient confidentiality
ChatGPT Client Data Safety for Freelancers
A personal ChatGPT account can mix client prompts, files, memories, and app context unless the user separates work deliberately.
Open evidence guidePrompt injection
ChatGPT Prompt Injection: A Practical Defense
Retrieved webpages, uploaded documents, and app results can contain instructions that should be treated as untrusted content.
Open evidence guideConnector permissions
ChatGPT Connector Permissions: Review the Real Scope
ChatGPT apps may search connected sources, sync content, or perform write actions within granted scopes.
Open evidence guideCommand execution
ChatGPT Command Execution: Keep Control
Standard conversation is text-only, but custom apps, workspace agents, or connected action tools can change external systems when enabled.
Open evidence guideUnsafe generated code
ChatGPT Generated Code Risks: Review Before You Run
ChatGPT may suggest code, dependencies, shell commands, and configuration that still require independent verification.
Open evidence guideHistory and sharing
ChatGPT Chat History and Shared Links: Privacy Check
History, memories, projects, Temporary Chats, and shared links follow different controls and should be reviewed separately.
Open evidence guideAccidental oversharing
ChatGPT Sensitive Data: What Not to Paste
Large pastes, screenshots, uploads, and connected-app retrieval can include more information than the visible question requires.
Open evidence guideAutonomous actions
ChatGPT Autonomous Actions: Approval Safety Guide
Apps can be configured to read automatically or take actions with different approval levels, including elevated persistent choices where available.
Open evidence guideconnected assistant
Claude
Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.
connected assistant
Claude
Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.
Private file access
Claude Private File Access: What to Check
Files, project knowledge, Google Workspace connections, and other connectors can make selected work retrievable in Claude.
Open evidence guideCredential exposure
Claude API Key Exposure: Check Before You Share
Secrets can enter through code uploads, pasted logs, project knowledge, Drive documents, or connector results.
Open evidence guideClient confidentiality
Claude Client Data Safety for Freelancers
Client files can persist in conversations or project knowledge and may be retrievable through connectors inherited from the user account.
Open evidence guidePrompt injection
Claude Prompt Injection: A Practical Defense
Documents, webpages, connector output, and MCP resources may contain instructions that conflict with the user’s goal.
Open evidence guideConnector permissions
Claude Connector Permissions: Review the Real Scope
Claude connectors can inherit access from services such as Drive, Slack, or Linear and may expose both read and write tools.
Open evidence guideCommand execution
Claude Command Execution: Keep Control
Ordinary Claude chat is not a local shell, but connectors and computer or coding surfaces may expose action tools.
Open evidence guideUnsafe generated code
Claude Generated Code Risks: Review Before You Run
Claude can generate code and installation instructions that may be plausible but incomplete, outdated, or unsafe for the user’s environment.
Open evidence guideHistory and sharing
Claude Chat History and Shared Links: Privacy Check
Claude chats are private by default but can be shared as snapshots; projects and uploaded files have separate visibility rules.
Open evidence guideAccidental oversharing
Claude Sensitive Data: What Not to Paste
Artifacts, screenshots, long documents, and connector retrieval can surface details beyond the line the user intended to discuss.
Open evidence guideAutonomous actions
Claude Autonomous Actions: Approval Safety Guide
Connectors may retrieve data or take actions such as creating issues, sending messages, or changing records when the tool is permitted.
Open evidence guideconnected assistant
Gemini
Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.
connected assistant
Gemini
Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.
Private file access
Gemini Private File Access: What to Check
Gemini can receive files, screens, photos, page context, and information from connected apps when those features are used.
Open evidence guideCredential exposure
Gemini API Key Exposure: Check Before You Share
Tokens or passwords can appear in uploaded screenshots, browser page context, code files, Drive content, or copied logs.
Open evidence guideClient confidentiality
Gemini Client Data Safety for Freelancers
Client content may enter through uploads, connected Google services, live screen sharing, or a work account whose policies differ from a personal account.
Open evidence guidePrompt injection
Gemini Prompt Injection: A Practical Defense
Web content, connected-app results, emails, documents, and shared screens can contain text that should not become trusted instructions.
Open evidence guideConnector permissions
Gemini Connector Permissions: Review the Real Scope
Connected Google and third-party apps can expose account information according to their permissions and retain shared data under their own policies.
Open evidence guideCommand execution
Gemini Command Execution: Keep Control
Consumer Gemini chat is not automatically a shell, but device actions, extensions, or connected services may perform operations.
Open evidence guideUnsafe generated code
Gemini Generated Code Risks: Review Before You Run
Gemini-generated code or commands may omit environment-specific constraints or suggest dependencies that need verification.
Open evidence guideHistory and sharing
Gemini Chat History and Shared Links: Privacy Check
Gemini Apps Activity, public links, saved information, connected-service data, and reviewed content follow different retention rules.
Open evidence guideAccidental oversharing
Gemini Sensitive Data: What Not to Paste
Live screen, camera, audio, uploaded files, and browser page context can capture background information outside the intended question.
Open evidence guideAutonomous actions
Gemini Autonomous Actions: Approval Safety Guide
Gemini may use connected apps or device-assistant capabilities to take actions based on available permissions.
Open evidence guideconnected assistant
Microsoft Copilot
The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.
connected assistant
Microsoft Copilot
The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.
Private file access
Microsoft Copilot Private File Access: What to Check
Copilot may use uploaded files, the active Microsoft 365 document, recent files, or connected-service content depending on the surface.
Open evidence guideCredential exposure
Microsoft Copilot API Key Exposure: Check Before You Share
Credentials may appear in uploaded files, screenshots, recent documents, synced browser data, code, or copied support logs.
Open evidence guideClient confidentiality
Microsoft Copilot Client Data Safety for Freelancers
Client data can enter a consumer Copilot chat or a managed Microsoft 365 context with different controls and retention.
Open evidence guidePrompt injection
Microsoft Copilot Prompt Injection: A Practical Defense
Connected service results, documents, email, webpages, and shared files may contain untrusted instructions.
Open evidence guideConnector permissions
Microsoft Copilot Connector Permissions: Review the Real Scope
Connections can make files, email, contacts, calendar events, and other service data retrievable through Copilot.
Open evidence guideCommand execution
Microsoft Copilot Command Execution: Keep Control
Most consumer interactions are not a general shell, but connected services and Microsoft 365 features can create or modify external content.
Open evidence guideUnsafe generated code
Microsoft Copilot Generated Code Risks: Review Before You Run
Copilot can generate code, formulas, scripts, and commands whose safety depends on the user’s environment and review.
Open evidence guideHistory and sharing
Microsoft Copilot Chat History and Shared Links: Privacy Check
Consumer history, Microsoft 365 activity, uploaded files, and organizational records may be controlled in different locations.
Open evidence guideAccidental oversharing
Microsoft Copilot Sensitive Data: What Not to Paste
Recent files, full documents, screenshots, and connected services can surface more context than a short prompt suggests.
Open evidence guideAutonomous actions
Microsoft Copilot Autonomous Actions: Approval Safety Guide
Connected Copilot experiences may draft, create, change, or communicate within Microsoft services when the feature permits.
Open evidence guideconnected assistant
Perplexity
The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.
connected assistant
Perplexity
The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.
Private file access
Perplexity Private File Access: What to Check
Perplexity can work with session uploads, project files, personal repositories, organizational files, and connected storage depending on plan.
Open evidence guideCredential exposure
Perplexity API Key Exposure: Check Before You Share
Secrets can enter through uploaded code, configuration, screenshots, search queries, or files synchronized from storage.
Open evidence guideClient confidentiality
Perplexity Client Data Safety for Freelancers
Client files may persist in projects or repositories, and sharing can expose responses that reference connected material.
Open evidence guidePrompt injection
Perplexity Prompt Injection: A Practical Defense
Search results, webpages, uploaded documents, and connected files can carry instructions that should not control the assistant.
Open evidence guideConnector permissions
Perplexity Connector Permissions: Review the Real Scope
Enterprise connectors can include cloud storage and knowledge sources whose permissions determine what files can be searched.
Open evidence guideCommand execution
Perplexity Command Execution: Keep Control
Perplexity search and chat are not a general local shell, although generated commands or connected capabilities can still influence external actions.
Open evidence guideUnsafe generated code
Perplexity Generated Code Risks: Review Before You Run
Generated code and cited technical answers can still contain vulnerable patterns, obsolete APIs, or unsafe commands.
Open evidence guideHistory and sharing
Perplexity Chat History and Shared Links: Privacy Check
Sessions, projects, uploaded files, Pages, and Enterprise repositories have different retention and visibility rules.
Open evidence guideAccidental oversharing
Perplexity Sensitive Data: What Not to Paste
Search queries and uploads can include confidential terms, full documents, account details, or source material beyond the research need.
Open evidence guideAutonomous actions
Perplexity Autonomous Actions: Approval Safety Guide
Search and answer generation are usually advisory, but enterprise connectors and future action surfaces should be reviewed for actual write authority.
Open evidence guidecoding assistant
GitHub Copilot
The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.
coding assistant
GitHub Copilot
The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.
Private file access
GitHub Copilot Private File Access: What to Check
Editor context, local workspaces, and repository indexes can expose more than the file currently visible to the developer.
Open evidence guideCredential exposure
GitHub Copilot API Key Exposure: Check Before You Share
Secrets can appear in repository history, local untracked files, configuration, actions logs, test fixtures, and editor context.
Open evidence guideClient confidentiality
GitHub Copilot Client Data Safety for Freelancers
Agency and freelancer workspaces can mix multiple client repositories and local folders inside one editor context.
Open evidence guidePrompt injection
GitHub Copilot Prompt Injection: A Practical Defense
Issues, pull requests, comments, documentation, code, and repository instructions can contain untrusted text that influences an agent.
Open evidence guideConnector permissions
GitHub Copilot Connector Permissions: Review the Real Scope
Copilot agents operate within GitHub permissions and may interact with repositories, issues, pull requests, and workflows.
Open evidence guideCommand execution
GitHub Copilot Command Execution: Keep Control
Agent workflows may run tools or propose changes beyond ordinary inline completion, depending on the product surface.
Open evidence guideUnsafe generated code
GitHub Copilot Generated Code Risks: Review Before You Run
Copilot suggestions and agent pull requests can introduce vulnerable logic, unsafe dependencies, or incomplete tests.
Open evidence guideHistory and sharing
GitHub Copilot Chat History and Shared Links: Privacy Check
Chat logs, pull requests, issues, comments, and agent artifacts may preserve sensitive context in different GitHub surfaces.
Open evidence guideAccidental oversharing
GitHub Copilot Sensitive Data: What Not to Paste
Opening a broad workspace or attaching repository context can expose unrelated code, comments, logs, and configuration.
Open evidence guideAutonomous actions
GitHub Copilot Autonomous Actions: Approval Safety Guide
Copilot agents can create changes and workflow artifacts that move through GitHub’s collaboration system.
Open evidence guidecoding agent
Cursor
Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.
coding agent
Cursor
Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.
Private file access
Cursor Private File Access: What to Check
Cursor can use open files, workspace context, codebase indexes, agent tools, and local project data to answer and act.
Open evidence guideCredential exposure
Cursor API Key Exposure: Check Before You Share
Environment files, local configuration, terminal output, logs, and indexed code can place credentials near AI context.
Open evidence guideClient confidentiality
Cursor Client Data Safety for Freelancers
A single Cursor workspace can contain client code, local files, indexes, chat context, and model-provider requests.
Open evidence guidePrompt injection
Cursor Prompt Injection: A Practical Defense
Repository instructions, documentation, issues, web results, and MCP tool output can influence Cursor agents.
Open evidence guideConnector permissions
Cursor Connector Permissions: Review the Real Scope
MCP servers, extensions, model providers, and web search widen the systems and data Cursor can interact with.
Open evidence guideCommand execution
Cursor Command Execution: Keep Control
Cursor agents can propose or execute terminal commands with the user’s local environment and project context.
Open evidence guideUnsafe generated code
Cursor Generated Code Risks: Review Before You Run
Agent-generated multi-file changes can introduce insecure logic, dependencies, workflows, or configuration at high speed.
Open evidence guideHistory and sharing
Cursor Chat History and Shared Links: Privacy Check
Chat history, memories, indexes, code metadata, and model-provider handling depend on settings and feature use.
Open evidence guideAccidental oversharing
Cursor Sensitive Data: What Not to Paste
A broad workspace, selected files, terminal output, and indexed code can provide more context than a short question suggests.
Open evidence guideAutonomous actions
Cursor Autonomous Actions: Approval Safety Guide
Background or agent features can make edits and run tools with less continuous attention than inline assistance.
Open evidence guidecoding agent
Claude Code
Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.
coding agent
Claude Code
Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.
Private file access
Claude Code Private File Access: What to Check
Claude Code can read project files and, depending on permissions, may read beyond the working directory even when writes are narrower.
Open evidence guideCredential exposure
Claude Code API Key Exposure: Check Before You Share
Environment variables, .env files, shell credentials, SSH material, cloud configuration, logs, and MCP tokens can enter context.
Open evidence guideClient confidentiality
Claude Code Client Data Safety for Freelancers
A local session can read client code and nearby files under the developer’s account, while account terms and API transport still matter.
Open evidence guidePrompt injection
Claude Code Prompt Injection: A Practical Defense
Repository files, web content, dependencies, issues, and MCP output may contain instructions that attempt to redirect the agent.
Open evidence guideConnector permissions
Claude Code Connector Permissions: Review the Real Scope
MCP servers and hooks can expose local commands, files, APIs, tokens, and external services to the agent.
Open evidence guideCommand execution
Claude Code Command Execution: Keep Control
Claude Code can execute Bash commands, and bypass or unsandboxed modes materially reduce protection.
Open evidence guideUnsafe generated code
Claude Code Generated Code Risks: Review Before You Run
Claude Code can apply multi-file edits, install dependencies, run tests, and modify configuration within its granted scope.
Open evidence guideHistory and sharing
Claude Code Chat History and Shared Links: Privacy Check
Local and cloud sessions, account privacy choices, logs, and exported output may preserve code context in different places.
Open evidence guideAccidental oversharing
Claude Code Sensitive Data: What Not to Paste
Starting in a home or monorepo directory can expose far more readable context than the intended project.
Open evidence guideAutonomous actions
Claude Code Autonomous Actions: Approval Safety Guide
Non-interactive, auto, background, or bypass modes can continue work with fewer prompts inside the configured boundary.
Open evidence guidecoding agent
OpenAI Codex
Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.
coding agent
OpenAI Codex
Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.
Private file access
OpenAI Codex Private File Access: What to Check
Codex can read repository and workspace files within the environment supplied to the task, with scope varying by local or cloud setup.
Open evidence guideCredential exposure
OpenAI Codex API Key Exposure: Check Before You Share
Environment variables, repository config, shell output, cloud secrets, and local credential files can become reachable if included in scope.
Open evidence guideClient confidentiality
OpenAI Codex Client Data Safety for Freelancers
Client repositories and files may be processed locally or through connected cloud environments under different account and access controls.
Open evidence guidePrompt injection
OpenAI Codex Prompt Injection: A Practical Defense
Repository instructions, issues, webpages, dependency content, plugins, and MCP output can attempt to influence agent behavior.
Open evidence guideConnector permissions
OpenAI Codex Connector Permissions: Review the Real Scope
GitHub connections, plugins, MCP servers, and external tools can widen Codex access beyond the local repository.
Open evidence guideCommand execution
OpenAI Codex Command Execution: Keep Control
Codex can run commands under the configured sandbox and approval policy, with escalation requiring explicit authorization.
Open evidence guideUnsafe generated code
OpenAI Codex Generated Code Risks: Review Before You Run
Codex can patch code, run tests, and propose multi-file changes that still require repository-specific review.
Open evidence guideHistory and sharing
OpenAI Codex Chat History and Shared Links: Privacy Check
Tasks, terminal output, patches, cloud runs, and exported artifacts may preserve code context beyond the immediate prompt.
Open evidence guideAccidental oversharing
OpenAI Codex Sensitive Data: What Not to Paste
A task rooted too high in the filesystem or connected to a broad repository set can expose unrelated context.
Open evidence guideAutonomous actions
OpenAI Codex Autonomous Actions: Approval Safety Guide
Long-running or cloud tasks can continue across multiple steps inside the permissions and integrations granted at launch.
Open evidence guideconnected assistant
MCP-Connected AI Assistants
MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.
connected assistant
MCP-Connected AI Assistants
MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.
Private file access
MCP-Connected AI Assistants Private File Access: What to Check
A local or remote MCP server can expose files, databases, knowledge bases, or APIs as resources and tools.
Open evidence guideCredential exposure
MCP-Connected AI Assistants API Key Exposure: Check Before You Share
MCP server configs, environment variables, OAuth tokens, local process credentials, logs, and tool results can expose secrets.
Open evidence guideClient confidentiality
MCP-Connected AI Assistants Client Data Safety for Freelancers
An agency MCP setup can bridge one assistant to multiple client systems if servers, credentials, and sessions are reused.
Open evidence guidePrompt injection
MCP-Connected AI Assistants Prompt Injection: A Practical Defense
Tool descriptions, resource content, server responses, and resumed session events can carry malicious instructions.
Open evidence guideConnector permissions
MCP-Connected AI Assistants Connector Permissions: Review the Real Scope
MCP authorization can bridge an AI client to broad third-party API scopes and downstream resources.
Open evidence guideCommand execution
MCP-Connected AI Assistants Command Execution: Keep Control
Local stdio MCP servers run processes on the user’s machine and may inherit local filesystem and network privileges.
Open evidence guideUnsafe generated code
MCP-Connected AI Assistants Generated Code Risks: Review Before You Run
MCP tools that generate, install, or execute code can combine model output with downstream system authority.
Open evidence guideHistory and sharing
MCP-Connected AI Assistants Chat History and Shared Links: Privacy Check
Stateful MCP sessions, logs, resumed streams, tool results, and client histories can preserve sensitive data across requests.
Open evidence guideAccidental oversharing
MCP-Connected AI Assistants Sensitive Data: What Not to Paste
A broadly defined resource or tool can return entire records, directories, mailboxes, or databases when the task needs one field.
Open evidence guideAutonomous actions
MCP-Connected AI Assistants Autonomous Actions: Approval Safety Guide
An MCP client may chain multiple tools across systems, allowing one instruction to create side effects in several services.
Open evidence guideThe CapitalGuard boundary
Evidence before urgency.
These pages never claim to have scanned a visitor or discovered an incident. They help people identify the exact access condition that deserves review. CapitalGuard then provides the authorized repository scan, redacted report, preventive controls, and verification path when that deeper evidence is justified.
Review CapitalGuard LicensesEditorial method
CapitalGuard Security Research writes each guide from current provider documentation, public security standards, and CapitalGuard's versioned access-control model. No fictional author, unverified breach, fake customer evidence, or guaranteed-protection claim is used. Pages are revised when source behavior changes.
CapitalGuard is independent and is not affiliated with the providers or products named in this library.
