Live checkout: Starter, Growth, and Pro licensesBuild cartCompare packagesProof ledger
CapitalGuardAI-agent security licensesBuy

Report viewer

CapitalGuard report: acme-platform.

Findings are written for founders, security reviewers, and developers who need detection evidence, prevention controls, and practical precautions.

Critical

Production secrets reachable by agent workspace

.env.production

Why it matters

The file appears inside the default workspace scope used by AI coding tools.

How an AI agent could expose it

An agent asked to debug deployment could read or summarize secret names and values.

Business impact

A leaked production key can expose customer data, billing systems, or deployment access.

Preventive control

Move secrets into the deployment provider vault and block this path in agent policy.

Confidence level: High. Sensitive values are redacted before display and export.

High

Prompt-injection instruction path in internal docs

docs/prompts/release-checklist.md

Why it matters

The document includes imperative instructions an agent may treat as task guidance.

How an AI agent could expose it

An agent reviewing release docs could follow hidden instructions before developer review.

Business impact

A malicious instruction can alter build steps, exfiltrate logs, or bypass review.

Preventive control

Move operational instructions into signed policy files and label docs as untrusted input.

Confidence level: Medium. Sensitive values are redacted before display and export.

High

Deployment workflow can be edited by coding agents

.github/workflows/deploy.yml

Why it matters

The workflow is both sensitive and currently inside editable AI-agent scope.

How an AI agent could expose it

A suggested cleanup could modify deployment permissions or add unsafe commands.

Business impact

Build-system compromise can affect production releases and customer trust.

Preventive control

Require protected reviews for workflow changes and add an agent read-only rule.

Confidence level: High. Sensitive values are redacted before display and export.

Medium

Dangerous command path looks like a routine script

scripts/seed-prod.ts

Why it matters

The script can mutate production-like data and has an unclear execution boundary.

How an AI agent could expose it

An agent could run it while trying to recreate a bug or seed test data.

Business impact

Accidental data mutation can create downtime, billing errors, or audit gaps.

Preventive control

Rename, isolate, and require environment confirmation before execution.

Confidence level: Medium. Sensitive values are redacted before display and export.