{"schemaVersion":"cg-observatory-1.0.0","datasetVersion":"1.0.0","title":"CapitalGuard AI Security Observatory","publisher":"CapitalGuard Security Research","license":"CC BY 4.0 for published dataset records and methodology. CapitalGuard marks, unpublished threat intelligence, proprietary detection logic, and private signing keys remain reserved.","publishedAt":"2026-07-13","updatedAt":"2026-07-13","canonicalUrl":"https://capitalguard.io/observatory","methodologyUrl":"https://capitalguard.io/observatory/methodology","claimBoundary":"Public-Control Scores measure documented control coverage, not product safety, incident frequency, exploitation probability, or guaranteed protection.","dimensions":[{"id":"scope","label":"Access and scope transparency","description":"How clearly official material explains what the tool can read, retrieve, index, or inherit."},{"id":"data","label":"Data and retention controls","description":"How clearly users can understand and control history, training use, retention, sharing, and deletion."},{"id":"connectors","label":"Connector and permission controls","description":"How specifically official material documents connected services, scopes, revocation, and least privilege."},{"id":"execution","label":"Action, approval, and isolation controls","description":"How clearly the product documents approvals, write boundaries, sandboxing, network access, and consequential actions."},{"id":"audit","label":"Audit and administrative evidence","description":"How much official material describes logs, policy enforcement, provenance, signed activity, or administrator review."}],"tools":[{"slug":"chatgpt","name":"ChatGPT","provider":"OpenAI","category":"connected assistant","recordStatus":"scored","publicControlScore":76,"scoreBand":"Substantial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"ChatGPT can work with prompts, uploads, memory, projects, and optional apps that search connected services or take actions, depending on plan and settings.","accessPoints":["prompts and uploaded files","projects, history, and memory","apps with retrieval, sync, or write actions"],"settingsToReview":["Data Controls and model-improvement choice","Memory, projects, and shared links","Apps, granted scopes, and action approval mode"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for access and scope transparency.","sourceIds":["chatgpt-official-1","chatgpt-official-2"]},{"id":"data","label":"Data and retention controls","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for data and retention controls.","sourceIds":["chatgpt-official-1","chatgpt-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for connector and permission controls.","sourceIds":["chatgpt-official-1","chatgpt-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":13,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["chatgpt-official-1","chatgpt-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":13,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["chatgpt-official-1","chatgpt-official-2"]}],"sourceIds":["chatgpt-official-1","chatgpt-official-2"],"advisoryIds":[],"evidenceGuideCount":10,"action":{"label":"Check connected AI access","href":"/ai-security#access-check"}},{"slug":"claude","name":"Claude","provider":"Anthropic","category":"connected assistant","recordStatus":"scored","publicControlScore":74,"scoreBand":"Substantial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Claude can work with conversations, files, projects, and optional connectors that retrieve from or act within services according to the user’s source-system permissions.","accessPoints":["chat messages, files, and project knowledge","shared chat snapshots","connectors with read or write tools"],"settingsToReview":["Privacy and model-improvement choice","Shared chats and project visibility","Connector tool permissions and source-account scope"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for access and scope transparency.","sourceIds":["claude-official-1","claude-official-2"]},{"id":"data","label":"Data and retention controls","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["claude-official-1","claude-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for connector and permission controls.","sourceIds":["claude-official-1","claude-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":14,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for action, approval, and isolation controls.","sourceIds":["claude-official-1","claude-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":12,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["claude-official-1","claude-official-2"]}],"sourceIds":["claude-official-1","claude-official-2"],"advisoryIds":[],"evidenceGuideCount":10,"action":{"label":"Check connected AI access","href":"/ai-security#access-check"}},{"slug":"gemini","name":"Gemini","provider":"Google","category":"connected assistant","recordStatus":"scored","publicControlScore":68,"scoreBand":"Partial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Gemini can work with prompts, uploads, live audio or screen context, and connected Google or third-party services depending on device, account, region, and settings.","accessPoints":["prompts, files, images, audio, video, and shared screens","connected Google and third-party apps","device permissions and Gemini Apps Activity"],"settingsToReview":["Gemini Apps Activity and auto-delete","Connected apps and public links","Google app device permissions and Saved Info"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":15,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for access and scope transparency.","sourceIds":["gemini-official-1","gemini-official-2"]},{"id":"data","label":"Data and retention controls","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["gemini-official-1","gemini-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":14,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for connector and permission controls.","sourceIds":["gemini-official-1","gemini-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":11,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["gemini-official-1","gemini-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":12,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["gemini-official-1","gemini-official-2"]}],"sourceIds":["gemini-official-1","gemini-official-2"],"advisoryIds":[],"evidenceGuideCount":10,"action":{"label":"Check connected AI access","href":"/ai-security#access-check"}},{"slug":"microsoft-copilot","name":"Microsoft Copilot","provider":"Microsoft","category":"connected assistant","recordStatus":"scored","publicControlScore":69,"scoreBand":"Partial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Microsoft Copilot spans consumer chat and Microsoft 365 experiences, where prompts, files, history, connected services, and organizational controls can differ substantially.","accessPoints":["uploaded files and conversation history","the active Microsoft 365 document","optional connectors and synced browser data"],"settingsToReview":["Model training and personalization choices","Copilot activity history","Connected services, recent files, and Microsoft 365 privacy settings"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":15,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for access and scope transparency.","sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"]},{"id":"data","label":"Data and retention controls","score":15,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":14,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for connector and permission controls.","sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":12,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":13,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"]}],"sourceIds":["microsoft-copilot-official-1","microsoft-copilot-official-2"],"advisoryIds":[],"evidenceGuideCount":10,"action":{"label":"Check connected AI access","href":"/ai-security#access-check"}},{"slug":"perplexity","name":"Perplexity","provider":"Perplexity AI","category":"connected assistant","recordStatus":"scored","publicControlScore":56,"scoreBand":"Partial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Perplexity combines AI search with conversations, uploads, projects or spaces, and optional organizational repositories or connectors depending on plan.","accessPoints":["search queries and conversation history","uploaded files and projects","connected storage and organizational repositories"],"settingsToReview":["AI Data Retention or training choice","Library, projects, and shared sessions","File, connector, and organization permissions"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":13,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["perplexity-official-1","perplexity-official-2"]},{"id":"data","label":"Data and retention controls","score":14,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["perplexity-official-1","perplexity-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":12,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["perplexity-official-1","perplexity-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":7,"maximum":20,"rationale":"Public documentation located for this review gives limited operational detail for action, approval, and isolation controls.","sourceIds":["perplexity-official-1","perplexity-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":10,"maximum":20,"rationale":"Official material documents user-facing controls, with some enforcement or audit detail still limited.","sourceIds":["perplexity-official-1","perplexity-official-2"]}],"sourceIds":["perplexity-official-1","perplexity-official-2"],"advisoryIds":[],"evidenceGuideCount":10,"action":{"label":"Check connected AI access","href":"/ai-security#access-check"}},{"slug":"github-copilot","name":"GitHub Copilot","provider":"GitHub","category":"coding assistant","recordStatus":"scored","publicControlScore":86,"scoreBand":"Extensive public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"GitHub Copilot can use editor context, repository indexes, pull requests, issues, and agent workflows, with policy and content-exclusion behavior depending on plan and surface.","accessPoints":["open editor and workspace context","repository semantic indexes","Copilot agents, pull requests, issues, and workflows"],"settingsToReview":["Content exclusions and repository indexing","Organization and enterprise Copilot policies","Agent permissions, branch protection, and review rules"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for access and scope transparency.","sourceIds":["github-copilot-official-1","github-copilot-official-2"]},{"id":"data","label":"Data and retention controls","score":14,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["github-copilot-official-1","github-copilot-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for connector and permission controls.","sourceIds":["github-copilot-official-1","github-copilot-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for action, approval, and isolation controls.","sourceIds":["github-copilot-official-1","github-copilot-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":19,"maximum":20,"rationale":"Official material provides extensive operational detail for audit and administrative evidence.","sourceIds":["github-copilot-official-1","github-copilot-official-2"]}],"sourceIds":["github-copilot-official-1","github-copilot-official-2"],"advisoryIds":["CGO-CHANGE-2026-06-09","CGO-RESEARCH-2026-05"],"evidenceGuideCount":10,"action":{"label":"Protect a live repository","href":"/products/pro"}},{"slug":"cursor","name":"Cursor","provider":"Anysphere","category":"coding agent","recordStatus":"scored","publicControlScore":84,"scoreBand":"Substantial public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Cursor combines an AI editor with codebase context, indexing, agent features, model providers, extensions, web search, and optional background or connected tools.","accessPoints":["open files and editor context","codebase indexing and embeddings","agent commands, extensions, web search, and MCP tools"],"settingsToReview":["Privacy Mode and codebase indexing",".cursorignore and workspace scope","Agent, extension, web, network, and MCP permissions"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for access and scope transparency.","sourceIds":["cursor-official-1","cursor-official-2"]},{"id":"data","label":"Data and retention controls","score":15,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["cursor-official-1","cursor-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for connector and permission controls.","sourceIds":["cursor-official-1","cursor-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for action, approval, and isolation controls.","sourceIds":["cursor-official-1","cursor-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for audit and administrative evidence.","sourceIds":["cursor-official-1","cursor-official-2"]}],"sourceIds":["cursor-official-1","cursor-official-2"],"advisoryIds":["CVE-2025-59944","CVE-2026-22708","CGO-RESEARCH-2026-05"],"evidenceGuideCount":10,"action":{"label":"Protect a live repository","href":"/products/pro"}},{"slug":"claude-code","name":"Claude Code","provider":"Anthropic","category":"coding agent","recordStatus":"scored","publicControlScore":85,"scoreBand":"Extensive public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"Claude Code is a local or cloud coding agent with file, command, network, MCP, and editing capabilities governed by permissions, sandboxing, trust, and account settings.","accessPoints":["repository and local file reads","edits and Bash commands","network access, MCP servers, hooks, and cloud environments"],"settingsToReview":["Permission mode and deny rules","Filesystem and network sandbox","Trusted directories, MCP servers, hooks, and unsandboxed escape paths"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for access and scope transparency.","sourceIds":["claude-code-official-1","claude-code-official-2"]},{"id":"data","label":"Data and retention controls","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["claude-code-official-1","claude-code-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for connector and permission controls.","sourceIds":["claude-code-official-1","claude-code-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for action, approval, and isolation controls.","sourceIds":["claude-code-official-1","claude-code-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for audit and administrative evidence.","sourceIds":["claude-code-official-1","claude-code-official-2"]}],"sourceIds":["claude-code-official-1","claude-code-official-2"],"advisoryIds":["CVE-2026-24887","CGO-CHANGE-2026-06-09","CGO-RESEARCH-2026-05"],"evidenceGuideCount":10,"action":{"label":"Protect a live repository","href":"/products/pro"}},{"slug":"openai-codex","name":"OpenAI Codex","provider":"OpenAI","category":"coding agent","recordStatus":"scored","publicControlScore":85,"scoreBand":"Extensive public control coverage","scoreBoundary":"Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.","summary":"OpenAI Codex can work locally or in cloud environments with repository files, commands, patches, network controls, approvals, plugins, and connected developer workflows.","accessPoints":["local repositories and worktrees","commands, patches, tests, and tools","cloud repositories, plugins, MCP servers, and network access"],"settingsToReview":["Sandbox and approval profile","Writable roots and network policy","Repository, plugin, MCP, and cloud connections"],"dimensions":[{"id":"scope","label":"Access and scope transparency","score":18,"maximum":20,"rationale":"Official material provides extensive operational detail for access and scope transparency.","sourceIds":["openai-codex-official-1","openai-codex-official-2"]},{"id":"data","label":"Data and retention controls","score":15,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for data and retention controls.","sourceIds":["openai-codex-official-1","openai-codex-official-2"]},{"id":"connectors","label":"Connector and permission controls","score":17,"maximum":20,"rationale":"Official material provides extensive operational detail for connector and permission controls.","sourceIds":["openai-codex-official-1","openai-codex-official-2"]},{"id":"execution","label":"Action, approval, and isolation controls","score":19,"maximum":20,"rationale":"Official material provides extensive operational detail for action, approval, and isolation controls.","sourceIds":["openai-codex-official-1","openai-codex-official-2"]},{"id":"audit","label":"Audit and administrative evidence","score":16,"maximum":20,"rationale":"Official material names concrete controls and meaningful boundaries for audit and administrative evidence.","sourceIds":["openai-codex-official-1","openai-codex-official-2"]}],"sourceIds":["openai-codex-official-1","openai-codex-official-2"],"advisoryIds":["CVE-2025-59532","CGO-CHANGE-2026-06-09","CGO-RESEARCH-2026-05"],"evidenceGuideCount":10,"action":{"label":"Protect a live repository","href":"/products/pro"}},{"slug":"mcp-assistants","name":"MCP-Connected AI Assistants","provider":"Multiple providers","category":"connected assistant","recordStatus":"implementation-dependent","publicControlScore":null,"scoreBand":"Implementation-dependent protocol","scoreBoundary":"MCP is a protocol and ecosystem, not one deployed product. A single score would hide differences between clients, servers, transport, authorization, and operator policy.","summary":"MCP-connected assistants can discover resources and call tools exposed by local or remote servers, creating a reusable bridge between AI and files, APIs, databases, commands, and business systems.","accessPoints":["MCP resources and prompts","local stdio server processes","remote tools, OAuth scopes, APIs, and downstream services"],"settingsToReview":["Server origin, command, and transport","OAuth scopes, token audience, and consent","Filesystem, network, session, logging, and downstream permissions"],"dimensions":[],"sourceIds":["mcp-assistants-official-1","mcp-assistants-official-2"],"advisoryIds":["CVE-2025-54073","CVE-2026-40576","CGO-RESEARCH-2026-05"],"evidenceGuideCount":10,"action":{"label":"Protect an MCP-enabled repository","href":"/products/pro"}}],"advisories":[{"id":"CVE-2025-59944","kind":"cve","title":"Cursor sensitive-file protection bypass","severity":"critical","toolSlugs":["cursor"],"publishedAt":"2025-10-03","updatedAt":"2026-06-17","summary":"Affected Cursor releases used case-sensitive checks around sensitive files, enabling a prompt-injection path to modify protected configuration on case-insensitive filesystems.","affected":"Cursor 1.6.23 and earlier.","response":"Update to Cursor 1.7 or later and review repository-controlled AI configuration before trust is granted.","sourceIds":["nvd-cve-2025-59944"]},{"id":"CVE-2026-22708","kind":"cve","title":"Cursor terminal allowlist bypass","severity":"high","toolSlugs":["cursor"],"publishedAt":"2026-01-14","updatedAt":"2026-01-14","summary":"In a non-default Auto-Run plus Allowlist configuration, shell built-ins could alter environment variables without appearing in the command allowlist.","affected":"Cursor 2.2 and earlier in the affected configuration.","response":"Update to Cursor 2.3 or later and avoid treating command-name allowlists as a complete execution boundary.","sourceIds":["cursor-ghsa-82wg"]},{"id":"CVE-2026-24887","kind":"cve","title":"Claude Code confirmation-prompt bypass","severity":"high","toolSlugs":["claude-code"],"publishedAt":"2026-02-03","updatedAt":"2026-02-06","summary":"A command-parsing error could bypass the confirmation prompt and trigger an untrusted command when attacker-controlled content entered context.","affected":"Claude Code releases before 2.0.72.","response":"Update to 2.0.72 or later and keep untrusted repository content outside command-authorizing context.","sourceIds":["nvd-cve-2026-24887"]},{"id":"CVE-2025-59532","kind":"cve","title":"Codex workspace sandbox-boundary bypass","severity":"high","toolSlugs":["openai-codex"],"publishedAt":"2025-09-22","updatedAt":"2026-06-17","summary":"Affected Codex releases could treat a model-generated working directory as the sandbox writable root, bypassing the intended workspace boundary.","affected":"Codex CLI 0.2.0 through 0.38.0; affected IDE extension releases before 0.4.12.","response":"Use Codex CLI 0.39.0 or later and IDE extension 0.4.12 or later, then verify the effective writable root before sensitive work.","sourceIds":["nvd-cve-2025-59532"]},{"id":"CVE-2025-54073","kind":"cve","title":"MCP package-documentation server command injection","severity":"high","toolSlugs":["mcp-assistants"],"publishedAt":"2025-07-18","updatedAt":"2025-08-05","summary":"Unsanitized package arguments reached a shell command, creating a path from tool input or indirect prompt injection to command execution.","affected":"mcp-package-docs 0.1.27 and earlier.","response":"Update to 0.1.28 or later and use argument-safe process APIs rather than shell interpolation.","sourceIds":["ghsa-cve-2025-54073"]},{"id":"CVE-2026-40576","kind":"cve","title":"Remote MCP spreadsheet server path traversal","severity":"critical","toolSlugs":["mcp-assistants"],"publishedAt":"2026-04-12","updatedAt":"2026-04-15","summary":"Affected remote deployments failed to confine file paths to the configured spreadsheet directory, allowing arbitrary file read and write operations.","affected":"excel-mcp-server 0.1.7 and earlier.","response":"Update to 0.1.8 or later, bind remote services narrowly, authenticate requests, and validate resolved paths against the approved root.","sourceIds":["ghsa-cve-2026-40576"]},{"id":"CGO-CHANGE-2026-06-09","kind":"security-change","title":"GitHub adds security validation for third-party coding agents","severity":"informational","toolSlugs":["github-copilot","claude-code","openai-codex"],"publishedAt":"2026-06-09","updatedAt":"2026-06-09","summary":"GitHub made automatic CodeQL, dependency-advisory, and secret-scanning validation generally available for supported third-party coding-agent changes.","affected":"Supported GitHub agent workflows; coverage depends on repository and agent settings.","response":"Keep the validation enabled, but retain branch protection, review, and least-privilege controls around agent-generated changes.","sourceIds":["github-third-party-agent-validation"]},{"id":"CGO-RESEARCH-2026-05","kind":"research","title":"AgentSecBench formalizes three enforceable agent-security boundaries","severity":"informational","toolSlugs":["mcp-assistants","openai-codex","claude-code","github-copilot","cursor"],"publishedAt":"2026-05-25","updatedAt":"2026-05-25","summary":"The benchmark separates instruction integrity, retrieval confidentiality, and tool-use capability integrity instead of treating prompt text as an enforcement boundary.","affected":"Agentic systems that combine untrusted content, private context, and action-capable tools.","response":"Project trusted provenance, restrict capabilities before generation, and validate outputs before execution.","sourceIds":["agentsecbench-2026"]}],"benchmark":{"name":"CapitalGuard Synthetic Repository Test Set","standardVersion":"1.0.0","runDigestSha256":"83f0586a997443653c6ac7f445fc127521320154eb6022454bb4908a8cb74478","executionBoundary":"The harness reads synthetic fixtures and executes no fixture command, vendor product, exploit, network action, or customer repository.","cases":[{"id":"CGO-TV-001","title":"Secret-bearing path signal","fixture":".env.synthetic","marker":"CG_SYNTHETIC_TOKEN_DO_NOT_USE","expectedFinding":"A secret-bearing path is identified without exposing a real credential.","controlIds":["CGS-SEC-001","CGS-DATA-001"],"fixtureSha256":"87b770404de1cb49096a78455ace92e6d78f6dfd2211ffd697ed71c52f63a6b5","result":"pass"},{"id":"CGO-TV-002","title":"Untrusted repository instruction","fixture":"docs/untrusted-instruction.fixture.md","marker":"CG_TEST_UNTRUSTED_INSTRUCTION","expectedFinding":"Repository text is treated as untrusted content rather than authorization.","controlIds":["CGS-INJ-001"],"fixtureSha256":"9c764c5bacb9dcbc1e02c2b79b2b6705535ddc65de237540e3bc579099442990","result":"pass"},{"id":"CGO-TV-003","title":"Broad workflow authority","fixture":".github/workflows/broad-permissions.fixture.yml","marker":"permissions: write-all","expectedFinding":"Broad workflow write authority is mapped to least privilege and approval review.","controlIds":["CGS-PRIV-001","CGS-HUMAN-001"],"fixtureSha256":"98e3002c7e84e859b5db2dc87acd48153fb5c94381142b83b85d481391f052df","result":"pass"},{"id":"CGO-TV-004","title":"Synthetic customer-data surface","fixture":"data/customer-records.synthetic.json","marker":"example.invalid","expectedFinding":"Customer-like data is identified using synthetic records only.","controlIds":["CGS-DATA-001"],"fixtureSha256":"af9cf134b607779a26baec5841ecd9b31e8b287e4409019ae9140711974524a2","result":"pass"},{"id":"CGO-TV-005","title":"Missing machine policy","fixture":".capitalguard/policy-absent.fixture","marker":"CG_TEST_POLICY_ABSENT","expectedFinding":"The harness records that no enforceable machine policy accompanies the fixture.","controlIds":["CGS-POL-001"],"fixtureSha256":"10fb4f812f1f5ae35c2d362ba6e60c55974bacef6b587274e8350497dc7f2b64","result":"pass"},{"id":"CGO-TV-006","title":"Command-authority marker","fixture":"scripts/command-authority.fixture.txt","marker":"CG_TEST_COMMAND_EXECUTION_AUTHORITY","expectedFinding":"Command authority is routed to a human-approval control without executing a command.","controlIds":["CGS-HUMAN-001","CGS-PRIV-001"],"fixtureSha256":"5cb48e450ba8caeece90123479e1f80f7f59e094cee24b85e2d5eb30ed9b53bf","result":"pass"}]},"standard":{"version":"1.0.0","standardUrl":"https://capitalguard.io/standard/v1.0.0/standard.json","controlsUrl":"https://capitalguard.io/standard/v1.0.0/controls.json","testVectorsUrl":"https://capitalguard.io/standard/v1.0.0/test-vectors.json"},"guardprintRegistry":{"algorithm":"SHA-256","signatureAlgorithm":"Ed25519","publicRecordsUrl":"https://capitalguard.io/observatory/guardprints.json","publicKeysUrl":"https://capitalguard.io/.well-known/capitalguard-verification-keys.json","verificationUrl":"https://capitalguard.io/verify","privacyBoundary":"Only the public attestation payload, status, hashes, signature, key identifier, and explicitly public labels are listed. Source code, repository names, secret values, customer identities, and private paths are excluded."},"sources":[{"id":"chatgpt-official-1","title":"OpenAI ChatGPT Data Controls FAQ","url":"https://help.openai.com/en/articles/7730893-chatgpt-privacy-practices","publisher":"OpenAI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official controls for training choice, Temporary Chat, export, and deletion."},{"id":"chatgpt-official-2","title":"OpenAI Apps in ChatGPT","url":"https://help.openai.com/en/articles/11487775-connectors-in-chatgpt/","publisher":"OpenAI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official description of app retrieval, sync, write actions, permissions, and connected data."},{"id":"claude-official-1","title":"Anthropic: Use connectors to extend Claude","url":"https://support.claude.com/en/articles/11176164-use-connectors-to-extend-claude-s-capabilities","publisher":"Anthropic","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official connector access, inherited permissions, and action-restriction guidance."},{"id":"claude-official-2","title":"Anthropic: Is my data used for model training?","url":"https://privacy.anthropic.com/en/articles/10023580-is-my-data-used-for-model-training","publisher":"Anthropic","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official consumer privacy and model-improvement conditions."},{"id":"gemini-official-1","title":"Google Gemini Apps Privacy Hub","url":"https://support.google.com/gemini/answer/13594961","publisher":"Google","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official description of collected content, connected apps, settings, review, and retention."},{"id":"gemini-official-2","title":"Google Account permissions","url":"https://myaccount.google.com/permissions","publisher":"Google","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official account surface for reviewing third-party access and connections."},{"id":"microsoft-copilot-official-1","title":"Microsoft Copilot Privacy FAQ","url":"https://support.microsoft.com/en-us/microsoft-copilot/privacy-faq-for-microsoft-copilot","publisher":"Microsoft","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official consumer guidance for uploads, history, training choices, and privacy."},{"id":"microsoft-copilot-official-2","title":"Microsoft: Connecting Copilot to other services","url":"https://support.microsoft.com/en-US/microsoft-copilot/connecting-microsoft-copilot-to-other-services","publisher":"Microsoft","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official description of service connections and retrievable files, mail, contacts, and calendar data."},{"id":"perplexity-official-1","title":"Perplexity: Data Collection","url":"https://www.perplexity.ai/help-center/en/articles/11564572-data-collection-at-perplexity","publisher":"Perplexity AI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official consumer and Enterprise training, retention, and control guidance."},{"id":"perplexity-official-2","title":"Perplexity Enterprise Organization Permissions","url":"https://www.perplexity.ai/help-center/en/articles/12053065-enterprise-organization-permissions","publisher":"Perplexity AI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official controls for files, sharing, connectors, models, and audit settings."},{"id":"github-copilot-official-1","title":"GitHub: Repository indexing for Copilot","url":"https://docs.github.com/en/copilot/concepts/context/repository-indexing","publisher":"GitHub","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official indexing and content-exclusion behavior."},{"id":"github-copilot-official-2","title":"GitHub: Responsible use of Copilot agents","url":"https://docs.github.com/en/copilot/responsible-use/agents","publisher":"GitHub","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official limitations and review responsibilities for agent-generated work."},{"id":"cursor-official-1","title":"Cursor Security","url":"https://cursor.com/security","publisher":"Anysphere","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official security, agent, privacy, and infrastructure overview."},{"id":"cursor-official-2","title":"Cursor Data Use & Privacy Overview","url":"https://cursor.com/data-use","publisher":"Anysphere","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official Privacy Mode, indexing, storage, and provider data-use details."},{"id":"claude-code-official-1","title":"Anthropic Claude Code Security","url":"https://code.claude.com/docs/en/security","publisher":"Anthropic","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official security, prompt-injection, permissions, MCP, and user-responsibility guidance."},{"id":"claude-code-official-2","title":"Anthropic Claude Code Sandboxing","url":"https://code.claude.com/docs/en/sandboxing","publisher":"Anthropic","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official filesystem and network isolation behavior and limitations."},{"id":"openai-codex-official-1","title":"OpenAI Codex Agent Approvals & Security","url":"https://learn.chatgpt.com/docs/agent-approvals-security","publisher":"OpenAI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official Codex sandbox, approvals, and security model."},{"id":"openai-codex-official-2","title":"OpenAI Codex Security","url":"https://learn.chatgpt.com/docs/security","publisher":"OpenAI","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official Codex Security and connected-repository workflow overview."},{"id":"mcp-assistants-official-1","title":"Model Context Protocol Security Best Practices","url":"https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices","publisher":"Multiple providers","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official MCP attack paths and mitigations for consent, tokens, SSRF, sessions, local servers, and scope."},{"id":"mcp-assistants-official-2","title":"Model Context Protocol Authorization","url":"https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization","publisher":"Multiple providers","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"Official authorization requirements for protected MCP resources."},{"id":"nist-ai-rmf","title":"NIST AI Risk Management Framework","url":"https://www.nist.gov/itl/ai-risk-management-framework","publisher":"NIST","kind":"government","accessedAt":"2026-07-13","note":"Primary risk-management guidance for mapping, measuring, managing, and governing AI risk."},{"id":"owasp-prompt-injection","title":"OWASP Prompt Injection Prevention Cheat Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html","publisher":"OWASP Foundation","kind":"industry-standard","accessedAt":"2026-07-13","note":"Defensive guidance for separating trusted instructions from untrusted content."},{"id":"owasp-secrets","title":"OWASP Secrets Management Cheat Sheet","url":"https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html","publisher":"OWASP Foundation","kind":"industry-standard","accessedAt":"2026-07-13","note":"Defensive guidance for minimizing, rotating, and monitoring secret access."},{"id":"cisa-secure-by-design","title":"CISA Secure by Design","url":"https://www.cisa.gov/securebydesign","publisher":"CISA","kind":"government","accessedAt":"2026-07-13","note":"Primary guidance for secure defaults, explicit controls, and owner-visible security decisions."},{"id":"nvd-cve-2025-59944","title":"CVE-2025-59944: Cursor sensitive-file protection bypass","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59944","publisher":"NIST National Vulnerability Database","kind":"vulnerability-database","accessedAt":"2026-07-13","note":"NVD record for a Cursor prompt-injection path to sensitive-file modification on affected versions."},{"id":"cursor-ghsa-82wg","title":"CVE-2026-22708: Cursor terminal allowlist bypass","url":"https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w","publisher":"Cursor","kind":"vendor-advisory","accessedAt":"2026-07-13","note":"Vendor advisory for an environment-variable path around terminal allowlist enforcement."},{"id":"nvd-cve-2026-24887","title":"CVE-2026-24887: Claude Code confirmation-prompt bypass","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24887","publisher":"NIST National Vulnerability Database","kind":"vulnerability-database","accessedAt":"2026-07-13","note":"NVD record for a command-parsing issue affecting Claude Code versions before 2.0.72."},{"id":"nvd-cve-2025-59532","title":"CVE-2025-59532: Codex workspace sandbox-boundary bypass","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59532","publisher":"NIST National Vulnerability Database","kind":"vulnerability-database","accessedAt":"2026-07-13","note":"NVD record for affected Codex versions treating a model-generated working directory as writable scope."},{"id":"ghsa-cve-2025-54073","title":"CVE-2025-54073: mcp-package-docs command injection","url":"https://github.com/advisories/GHSA-vf9j-h32g-2764","publisher":"GitHub Advisory Database","kind":"vulnerability-database","accessedAt":"2026-07-13","note":"Reviewed advisory for command injection in an MCP package-documentation server."},{"id":"ghsa-cve-2026-40576","title":"CVE-2026-40576: excel-mcp-server path traversal","url":"https://github.com/advisories/GHSA-j98m-w3xp-9f56","publisher":"GitHub Advisory Database","kind":"vulnerability-database","accessedAt":"2026-07-13","note":"Reviewed advisory for arbitrary file access in affected remote excel-mcp-server deployments."},{"id":"github-third-party-agent-validation","title":"Security validation for third-party coding agents","url":"https://github.blog/changelog/2026-06-09-security-validation-for-third-party-coding-agents/","publisher":"GitHub","kind":"vendor-documentation","accessedAt":"2026-07-13","note":"GitHub change record for CodeQL, advisory, and secret-scanning validation on third-party agent changes."},{"id":"agentsecbench-2026","title":"AgentSecBench: Measuring Prompt Injection, Privacy Leakage, and Tool-Use Integrity in LLM Agents","url":"https://arxiv.org/abs/2605.26269","publisher":"AgentSecBench authors","kind":"primary-research","accessedAt":"2026-07-13","note":"Primary paper defining reproducible instruction-integrity, retrieval-confidentiality, and capability-integrity games."}],"changelog":[{"version":"1.0.0","date":"2026-07-13","title":"Initial public Observatory release","changes":["Published ten AI-tool and protocol records with source-level citations.","Released the five-dimension CapitalGuard Public-Control Score and claim boundary.","Added six CVE records, one material platform security change, and one primary research signal.","Published six non-destructive synthetic repository test vectors mapped to CapitalGuard Standard 1.0.0.","Added machine-readable JSON and CSV exports plus daily official-source change detection."]}]}