CapitalGuard

AI security evidence library

100 precise checks for the AI tools people actually use.

Ten AI surfaces crossed with ten real exposure types. Every guide explains the boundary, warning signs, safe test, practical controls, and the point where a formal CapitalGuard baseline becomes useful.

Published by CapitalGuard Security Research · Updated July 13, 2026 · Primary sources only

10

AI surfaces

10

Exposure types

100

Evidence guides

connected assistant

ChatGPT

Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.

Private file access

ChatGPT Private File Access: What to Check

Uploads, projects, synced apps, and file-search connections can make selected documents available as context.

Open evidence guide

Credential exposure

ChatGPT API Key Exposure: Check Before You Share

Credentials can arrive through pasted configuration, uploaded source files, screenshots, or connected Drive content.

Open evidence guide

Client confidentiality

ChatGPT Client Data Safety for Freelancers

A personal ChatGPT account can mix client prompts, files, memories, and app context unless the user separates work deliberately.

Open evidence guide

Prompt injection

ChatGPT Prompt Injection: A Practical Defense

Retrieved webpages, uploaded documents, and app results can contain instructions that should be treated as untrusted content.

Open evidence guide

Connector permissions

ChatGPT Connector Permissions: Review the Real Scope

ChatGPT apps may search connected sources, sync content, or perform write actions within granted scopes.

Open evidence guide

Command execution

ChatGPT Command Execution: Keep Control

Standard conversation is text-only, but custom apps, workspace agents, or connected action tools can change external systems when enabled.

Open evidence guide

Unsafe generated code

ChatGPT Generated Code Risks: Review Before You Run

ChatGPT may suggest code, dependencies, shell commands, and configuration that still require independent verification.

Open evidence guide

History and sharing

ChatGPT Chat History and Shared Links: Privacy Check

History, memories, projects, Temporary Chats, and shared links follow different controls and should be reviewed separately.

Open evidence guide

Accidental oversharing

ChatGPT Sensitive Data: What Not to Paste

Large pastes, screenshots, uploads, and connected-app retrieval can include more information than the visible question requires.

Open evidence guide

Autonomous actions

ChatGPT Autonomous Actions: Approval Safety Guide

Apps can be configured to read automatically or take actions with different approval levels, including elevated persistent choices where available.

Open evidence guide

connected assistant

Claude

Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.

Private file access

Claude Private File Access: What to Check

Files, project knowledge, Google Workspace connections, and other connectors can make selected work retrievable in Claude.

Open evidence guide

Credential exposure

Claude API Key Exposure: Check Before You Share

Secrets can enter through code uploads, pasted logs, project knowledge, Drive documents, or connector results.

Open evidence guide

Client confidentiality

Claude Client Data Safety for Freelancers

Client files can persist in conversations or project knowledge and may be retrievable through connectors inherited from the user account.

Open evidence guide

Prompt injection

Claude Prompt Injection: A Practical Defense

Documents, webpages, connector output, and MCP resources may contain instructions that conflict with the user’s goal.

Open evidence guide

Connector permissions

Claude Connector Permissions: Review the Real Scope

Claude connectors can inherit access from services such as Drive, Slack, or Linear and may expose both read and write tools.

Open evidence guide

Command execution

Claude Command Execution: Keep Control

Ordinary Claude chat is not a local shell, but connectors and computer or coding surfaces may expose action tools.

Open evidence guide

Unsafe generated code

Claude Generated Code Risks: Review Before You Run

Claude can generate code and installation instructions that may be plausible but incomplete, outdated, or unsafe for the user’s environment.

Open evidence guide

History and sharing

Claude Chat History and Shared Links: Privacy Check

Claude chats are private by default but can be shared as snapshots; projects and uploaded files have separate visibility rules.

Open evidence guide

Accidental oversharing

Claude Sensitive Data: What Not to Paste

Artifacts, screenshots, long documents, and connector retrieval can surface details beyond the line the user intended to discuss.

Open evidence guide

Autonomous actions

Claude Autonomous Actions: Approval Safety Guide

Connectors may retrieve data or take actions such as creating issues, sending messages, or changing records when the tool is permitted.

Open evidence guide

connected assistant

Gemini

Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.

Private file access

Gemini Private File Access: What to Check

Gemini can receive files, screens, photos, page context, and information from connected apps when those features are used.

Open evidence guide

Credential exposure

Gemini API Key Exposure: Check Before You Share

Tokens or passwords can appear in uploaded screenshots, browser page context, code files, Drive content, or copied logs.

Open evidence guide

Client confidentiality

Gemini Client Data Safety for Freelancers

Client content may enter through uploads, connected Google services, live screen sharing, or a work account whose policies differ from a personal account.

Open evidence guide

Prompt injection

Gemini Prompt Injection: A Practical Defense

Web content, connected-app results, emails, documents, and shared screens can contain text that should not become trusted instructions.

Open evidence guide

Connector permissions

Gemini Connector Permissions: Review the Real Scope

Connected Google and third-party apps can expose account information according to their permissions and retain shared data under their own policies.

Open evidence guide

Command execution

Gemini Command Execution: Keep Control

Consumer Gemini chat is not automatically a shell, but device actions, extensions, or connected services may perform operations.

Open evidence guide

Unsafe generated code

Gemini Generated Code Risks: Review Before You Run

Gemini-generated code or commands may omit environment-specific constraints or suggest dependencies that need verification.

Open evidence guide

History and sharing

Gemini Chat History and Shared Links: Privacy Check

Gemini Apps Activity, public links, saved information, connected-service data, and reviewed content follow different retention rules.

Open evidence guide

Accidental oversharing

Gemini Sensitive Data: What Not to Paste

Live screen, camera, audio, uploaded files, and browser page context can capture background information outside the intended question.

Open evidence guide

Autonomous actions

Gemini Autonomous Actions: Approval Safety Guide

Gemini may use connected apps or device-assistant capabilities to take actions based on available permissions.

Open evidence guide

connected assistant

Microsoft Copilot

The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.

Private file access

Microsoft Copilot Private File Access: What to Check

Copilot may use uploaded files, the active Microsoft 365 document, recent files, or connected-service content depending on the surface.

Open evidence guide

Credential exposure

Microsoft Copilot API Key Exposure: Check Before You Share

Credentials may appear in uploaded files, screenshots, recent documents, synced browser data, code, or copied support logs.

Open evidence guide

Client confidentiality

Microsoft Copilot Client Data Safety for Freelancers

Client data can enter a consumer Copilot chat or a managed Microsoft 365 context with different controls and retention.

Open evidence guide

Prompt injection

Microsoft Copilot Prompt Injection: A Practical Defense

Connected service results, documents, email, webpages, and shared files may contain untrusted instructions.

Open evidence guide

Connector permissions

Microsoft Copilot Connector Permissions: Review the Real Scope

Connections can make files, email, contacts, calendar events, and other service data retrievable through Copilot.

Open evidence guide

Command execution

Microsoft Copilot Command Execution: Keep Control

Most consumer interactions are not a general shell, but connected services and Microsoft 365 features can create or modify external content.

Open evidence guide

Unsafe generated code

Microsoft Copilot Generated Code Risks: Review Before You Run

Copilot can generate code, formulas, scripts, and commands whose safety depends on the user’s environment and review.

Open evidence guide

History and sharing

Microsoft Copilot Chat History and Shared Links: Privacy Check

Consumer history, Microsoft 365 activity, uploaded files, and organizational records may be controlled in different locations.

Open evidence guide

Accidental oversharing

Microsoft Copilot Sensitive Data: What Not to Paste

Recent files, full documents, screenshots, and connected services can surface more context than a short prompt suggests.

Open evidence guide

Autonomous actions

Microsoft Copilot Autonomous Actions: Approval Safety Guide

Connected Copilot experiences may draft, create, change, or communicate within Microsoft services when the feature permits.

Open evidence guide

connected assistant

Perplexity

The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.

Private file access

Perplexity Private File Access: What to Check

Perplexity can work with session uploads, project files, personal repositories, organizational files, and connected storage depending on plan.

Open evidence guide

Credential exposure

Perplexity API Key Exposure: Check Before You Share

Secrets can enter through uploaded code, configuration, screenshots, search queries, or files synchronized from storage.

Open evidence guide

Client confidentiality

Perplexity Client Data Safety for Freelancers

Client files may persist in projects or repositories, and sharing can expose responses that reference connected material.

Open evidence guide

Prompt injection

Perplexity Prompt Injection: A Practical Defense

Search results, webpages, uploaded documents, and connected files can carry instructions that should not control the assistant.

Open evidence guide

Connector permissions

Perplexity Connector Permissions: Review the Real Scope

Enterprise connectors can include cloud storage and knowledge sources whose permissions determine what files can be searched.

Open evidence guide

Command execution

Perplexity Command Execution: Keep Control

Perplexity search and chat are not a general local shell, although generated commands or connected capabilities can still influence external actions.

Open evidence guide

Unsafe generated code

Perplexity Generated Code Risks: Review Before You Run

Generated code and cited technical answers can still contain vulnerable patterns, obsolete APIs, or unsafe commands.

Open evidence guide

History and sharing

Perplexity Chat History and Shared Links: Privacy Check

Sessions, projects, uploaded files, Pages, and Enterprise repositories have different retention and visibility rules.

Open evidence guide

Accidental oversharing

Perplexity Sensitive Data: What Not to Paste

Search queries and uploads can include confidential terms, full documents, account details, or source material beyond the research need.

Open evidence guide

Autonomous actions

Perplexity Autonomous Actions: Approval Safety Guide

Search and answer generation are usually advisory, but enterprise connectors and future action surfaces should be reviewed for actual write authority.

Open evidence guide

coding assistant

GitHub Copilot

The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.

Private file access

GitHub Copilot Private File Access: What to Check

Editor context, local workspaces, and repository indexes can expose more than the file currently visible to the developer.

Open evidence guide

Credential exposure

GitHub Copilot API Key Exposure: Check Before You Share

Secrets can appear in repository history, local untracked files, configuration, actions logs, test fixtures, and editor context.

Open evidence guide

Client confidentiality

GitHub Copilot Client Data Safety for Freelancers

Agency and freelancer workspaces can mix multiple client repositories and local folders inside one editor context.

Open evidence guide

Prompt injection

GitHub Copilot Prompt Injection: A Practical Defense

Issues, pull requests, comments, documentation, code, and repository instructions can contain untrusted text that influences an agent.

Open evidence guide

Connector permissions

GitHub Copilot Connector Permissions: Review the Real Scope

Copilot agents operate within GitHub permissions and may interact with repositories, issues, pull requests, and workflows.

Open evidence guide

Command execution

GitHub Copilot Command Execution: Keep Control

Agent workflows may run tools or propose changes beyond ordinary inline completion, depending on the product surface.

Open evidence guide

Unsafe generated code

GitHub Copilot Generated Code Risks: Review Before You Run

Copilot suggestions and agent pull requests can introduce vulnerable logic, unsafe dependencies, or incomplete tests.

Open evidence guide

History and sharing

GitHub Copilot Chat History and Shared Links: Privacy Check

Chat logs, pull requests, issues, comments, and agent artifacts may preserve sensitive context in different GitHub surfaces.

Open evidence guide

Accidental oversharing

GitHub Copilot Sensitive Data: What Not to Paste

Opening a broad workspace or attaching repository context can expose unrelated code, comments, logs, and configuration.

Open evidence guide

Autonomous actions

GitHub Copilot Autonomous Actions: Approval Safety Guide

Copilot agents can create changes and workflow artifacts that move through GitHub’s collaboration system.

Open evidence guide

coding agent

Cursor

Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.

Private file access

Cursor Private File Access: What to Check

Cursor can use open files, workspace context, codebase indexes, agent tools, and local project data to answer and act.

Open evidence guide

Credential exposure

Cursor API Key Exposure: Check Before You Share

Environment files, local configuration, terminal output, logs, and indexed code can place credentials near AI context.

Open evidence guide

Client confidentiality

Cursor Client Data Safety for Freelancers

A single Cursor workspace can contain client code, local files, indexes, chat context, and model-provider requests.

Open evidence guide

Prompt injection

Cursor Prompt Injection: A Practical Defense

Repository instructions, documentation, issues, web results, and MCP tool output can influence Cursor agents.

Open evidence guide

Connector permissions

Cursor Connector Permissions: Review the Real Scope

MCP servers, extensions, model providers, and web search widen the systems and data Cursor can interact with.

Open evidence guide

Command execution

Cursor Command Execution: Keep Control

Cursor agents can propose or execute terminal commands with the user’s local environment and project context.

Open evidence guide

Unsafe generated code

Cursor Generated Code Risks: Review Before You Run

Agent-generated multi-file changes can introduce insecure logic, dependencies, workflows, or configuration at high speed.

Open evidence guide

History and sharing

Cursor Chat History and Shared Links: Privacy Check

Chat history, memories, indexes, code metadata, and model-provider handling depend on settings and feature use.

Open evidence guide

Accidental oversharing

Cursor Sensitive Data: What Not to Paste

A broad workspace, selected files, terminal output, and indexed code can provide more context than a short question suggests.

Open evidence guide

Autonomous actions

Cursor Autonomous Actions: Approval Safety Guide

Background or agent features can make edits and run tools with less continuous attention than inline assistance.

Open evidence guide

coding agent

Claude Code

Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.

Private file access

Claude Code Private File Access: What to Check

Claude Code can read project files and, depending on permissions, may read beyond the working directory even when writes are narrower.

Open evidence guide

Credential exposure

Claude Code API Key Exposure: Check Before You Share

Environment variables, .env files, shell credentials, SSH material, cloud configuration, logs, and MCP tokens can enter context.

Open evidence guide

Client confidentiality

Claude Code Client Data Safety for Freelancers

A local session can read client code and nearby files under the developer’s account, while account terms and API transport still matter.

Open evidence guide

Prompt injection

Claude Code Prompt Injection: A Practical Defense

Repository files, web content, dependencies, issues, and MCP output may contain instructions that attempt to redirect the agent.

Open evidence guide

Connector permissions

Claude Code Connector Permissions: Review the Real Scope

MCP servers and hooks can expose local commands, files, APIs, tokens, and external services to the agent.

Open evidence guide

Command execution

Claude Code Command Execution: Keep Control

Claude Code can execute Bash commands, and bypass or unsandboxed modes materially reduce protection.

Open evidence guide

Unsafe generated code

Claude Code Generated Code Risks: Review Before You Run

Claude Code can apply multi-file edits, install dependencies, run tests, and modify configuration within its granted scope.

Open evidence guide

History and sharing

Claude Code Chat History and Shared Links: Privacy Check

Local and cloud sessions, account privacy choices, logs, and exported output may preserve code context in different places.

Open evidence guide

Accidental oversharing

Claude Code Sensitive Data: What Not to Paste

Starting in a home or monorepo directory can expose far more readable context than the intended project.

Open evidence guide

Autonomous actions

Claude Code Autonomous Actions: Approval Safety Guide

Non-interactive, auto, background, or bypass modes can continue work with fewer prompts inside the configured boundary.

Open evidence guide

coding agent

OpenAI Codex

Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.

Private file access

OpenAI Codex Private File Access: What to Check

Codex can read repository and workspace files within the environment supplied to the task, with scope varying by local or cloud setup.

Open evidence guide

Credential exposure

OpenAI Codex API Key Exposure: Check Before You Share

Environment variables, repository config, shell output, cloud secrets, and local credential files can become reachable if included in scope.

Open evidence guide

Client confidentiality

OpenAI Codex Client Data Safety for Freelancers

Client repositories and files may be processed locally or through connected cloud environments under different account and access controls.

Open evidence guide

Prompt injection

OpenAI Codex Prompt Injection: A Practical Defense

Repository instructions, issues, webpages, dependency content, plugins, and MCP output can attempt to influence agent behavior.

Open evidence guide

Connector permissions

OpenAI Codex Connector Permissions: Review the Real Scope

GitHub connections, plugins, MCP servers, and external tools can widen Codex access beyond the local repository.

Open evidence guide

Command execution

OpenAI Codex Command Execution: Keep Control

Codex can run commands under the configured sandbox and approval policy, with escalation requiring explicit authorization.

Open evidence guide

Unsafe generated code

OpenAI Codex Generated Code Risks: Review Before You Run

Codex can patch code, run tests, and propose multi-file changes that still require repository-specific review.

Open evidence guide

History and sharing

OpenAI Codex Chat History and Shared Links: Privacy Check

Tasks, terminal output, patches, cloud runs, and exported artifacts may preserve code context beyond the immediate prompt.

Open evidence guide

Accidental oversharing

OpenAI Codex Sensitive Data: What Not to Paste

A task rooted too high in the filesystem or connected to a broad repository set can expose unrelated context.

Open evidence guide

Autonomous actions

OpenAI Codex Autonomous Actions: Approval Safety Guide

Long-running or cloud tasks can continue across multiple steps inside the permissions and integrations granted at launch.

Open evidence guide

connected assistant

MCP-Connected AI Assistants

MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.

Private file access

MCP-Connected AI Assistants Private File Access: What to Check

A local or remote MCP server can expose files, databases, knowledge bases, or APIs as resources and tools.

Open evidence guide

Credential exposure

MCP-Connected AI Assistants API Key Exposure: Check Before You Share

MCP server configs, environment variables, OAuth tokens, local process credentials, logs, and tool results can expose secrets.

Open evidence guide

Client confidentiality

MCP-Connected AI Assistants Client Data Safety for Freelancers

An agency MCP setup can bridge one assistant to multiple client systems if servers, credentials, and sessions are reused.

Open evidence guide

Prompt injection

MCP-Connected AI Assistants Prompt Injection: A Practical Defense

Tool descriptions, resource content, server responses, and resumed session events can carry malicious instructions.

Open evidence guide

Connector permissions

MCP-Connected AI Assistants Connector Permissions: Review the Real Scope

MCP authorization can bridge an AI client to broad third-party API scopes and downstream resources.

Open evidence guide

Command execution

MCP-Connected AI Assistants Command Execution: Keep Control

Local stdio MCP servers run processes on the user’s machine and may inherit local filesystem and network privileges.

Open evidence guide

Unsafe generated code

MCP-Connected AI Assistants Generated Code Risks: Review Before You Run

MCP tools that generate, install, or execute code can combine model output with downstream system authority.

Open evidence guide

History and sharing

MCP-Connected AI Assistants Chat History and Shared Links: Privacy Check

Stateful MCP sessions, logs, resumed streams, tool results, and client histories can preserve sensitive data across requests.

Open evidence guide

Accidental oversharing

MCP-Connected AI Assistants Sensitive Data: What Not to Paste

A broadly defined resource or tool can return entire records, directories, mailboxes, or databases when the task needs one field.

Open evidence guide

Autonomous actions

MCP-Connected AI Assistants Autonomous Actions: Approval Safety Guide

An MCP client may chain multiple tools across systems, allowing one instruction to create side effects in several services.

Open evidence guide

The CapitalGuard boundary

Evidence before urgency.

These pages never claim to have scanned a visitor or discovered an incident. They help people identify the exact access condition that deserves review. CapitalGuard then provides the authorized repository scan, redacted report, preventive controls, and verification path when that deeper evidence is justified.

Review CapitalGuard Licenses

Editorial method

CapitalGuard Security Research writes each guide from current provider documentation, public security standards, and CapitalGuard's versioned access-control model. No fictional author, unverified breach, fake customer evidence, or guaranteed-protection claim is used. Pages are revised when source behavior changes.

CapitalGuard is independent and is not affiliated with the providers or products named in this library.