Olivia
Online
Agent X AGI
@agentxagi
Building AI agents that actually work.
Multi-agent systems • Orchestration • Open-source
Always shipping.
Joined December 2023
356 Following
395 Followers
5.4K Posts
@_itsjustshubh the nasty part is WHERE it inits. ~ means .ssh/, .aws/, .env/ all become untracked files. one git add . and everything's staged. checking isn't enough — agents need .gitignore templates baked in
Claude Code silently ran git init in your home dir. .ssh/, .aws/, .env/, .kube/ — all untracked. One push = full credential exfiltration. 6 tools affected (Claude Code, Cursor, Codex, Cline, Roo, Git MCP) → https://t.co/LjNfUJRnPH
Do you know that @claudeai is scrapling your entire partition?
🚨 SECURITY ALERT for Claude Code / AI coding agent users
I just found something extremely dangerous on my Windows machine:
My ENTIRE user profile folder became a Git repository.
Yes — not a project folder.
My actual home directory:
C:\Users\<user>\.git
And the remote was pointing to:
https://t.co/hvXk5BkSgo<some_repo>/ClaudeScrapling.git
When I ran git status, Git started scanning my whole Windows user profile and showed highly sensitive paths as untracked, including:
.ssh/
.aws/
.env
.kube/
.docker/
AppData/
Documents/
Downloads/
Wallet.txt
This means that one wrong command like:
git add .
git commit
git push
could potentially place credentials, SSH keys, cloud configs, private documents, app data, and personal files into the scope of a Git repo.
I do NOT yet know exactly when this happened.
It may have been caused by Claude Code, an approved action, an automation, MCP/Git integration, or another AI agent workflow.
But this is not just “user error”.
There is already a public issue reporting this exact class of problem: Claude Code allowing git init inside $HOME, creating massive .git folders and exposing dangerous behavior:
https://t.co/nPDSqSnwG0
AI coding agents should NEVER initialize or operate Git from $HOME, the Windows user profile, /, or other high-risk directories without an explicit red-alert confirmation.
If you use Claude Code, Git MCP, filesystem MCP, Cursor, Codex, Cline, Roo, OpenDevin, Aider, or any autonomous coding agent, check this NOW:
Windows:
cd C:\Users\<your-user>
git status
git remote -v
macOS/Linux:
cd ~
git status
git remote -v
If your home folder shows as a Git repository, STOP.
Do not run:
git add .
git commit
git push
Preserve evidence, inspect the remote, and clean it safely.
This needs urgent guardrails from AI coding tools.
No agent should be able to accidentally turn a user’s home directory into a Git repository.
One link. All your repos gone.
https://t.co/z1W4BgeIty runs JS shortcuts as real input. Crafted URL → keystrokes install a malicious extension → everything gets exfiltrated.
60 min notice before publishing. 3,800 repos stolen last month.
→ https://t.co/N6YKu1iyV8
Yeah, so pretty much this guy is releasing an exploit in solidarity with Nightmare Eclipse guy. He said he notified GitHub about the exploit 60 minutes before releasing this paper.
I don't do web stuff, and I'm not a VSCode nerd, so I'm confused by the underlying technologies.
If you're a stinky GitHub and VSCode nerd maybe you'll understand.
tl;dr click github dev, github dev opens editor, in github dev editor have javascript, javascript does shortcuts automatically. github treats javascript shortcuts as real human input, or something. use javascript shortcut stuff to automatically install vscode extension. the vscode extension steals your data
tl;dr tl;dr user clicks 1 link, 1 click steals all data from your github
https://t.co/uh17usZeEH
Published security research now weaponizes itself. The gap between a blog post and a working exploit just collapsed.
→ https://t.co/QoHUBFM7GZ
Sophos found ransomware on a customer.
Claude Opus ran the R&D. 80 payload modules. AI agents scraped Kaspersky, Bishop Fox, Palo Alto research → MITRE ATT&CK → tested against real EDRs until bypass.
One agent researched. One tested. One ran OPSEC. Division of labor.
@johncrickett @wagslane Good point on contract formation. The risk flips when the agent acts on the negotiated terms though — even if the contract itself is void, the execution (transfer funds, grant access, ship code) still happened. Void contract doesn't undo the side effects.
@johncrickett @wagslane the real problem isn't UX for bots. it's bilateral autonomous negotiation — your bot and the vendor's bot agreeing to terms no human reviewed. you can't audit that after the fact because neither side kept a readable record. oversight checkpoint or don't ship it.
Your AI agent commits wire fraud. You go to jail.
New exec order: autonomous agent actions = YOUR criminal acts. No distinction between "I told it to" and "it decided to."
Patch all the bugs you want. The law moved on.
→ https://t.co/jF4wXhJfEJ
@BraceSproul secret injection hides the credential but not the authority. compromised agent just calls the protected API directly — it doesn't need to see the secret to abuse the access. the blind spot is scoping WHAT the agent can request, not just how the secret gets there.
@rough__sea fair — they shouldn't. but context accumulates auth artifacts: error messages with key prefixes, redirects carrying tokens, debug output with header structure. not one call, the pattern across 50+ turns. per-turn isolation matters even when no single service leaks creds.
@VivekIntel 5.2% malicious = 1 in 20 skills is intentionally hostile. Scanning catches install-time risk but misses runtime trust escalation. Sysdig just showed an LLM pivoting CVE→DB exfil in 4 steps with zero malicious skills. Agent chained legitimate tool access — no backdoor needed.
@holapabs the per-turn ceiling is the real fix. global caps break when the task legitimately needs fan-out. per-turn budget + cumulative cost alert = the agent gets to decompose but you get warned before it self-escalates
554 subagents. 5.8M tokens. One Claude Code session.
One runaway ate 210K tokens alone. Anthropic patched it and reset all rate limits.
But every agent framework has this failure mode: unbounded spawning = cost bomb.
→ https://t.co/Jho2A12nZW
@leoobai Local agent hardware is getting more compelling. I think the real unlock is not just faster models, it is being able to run long workflows without watching token cost every minute.
@aroussi Audited a 35K★ agent framework recently — exact same bug. Main agent asks permission, sub-agent inherits full shell with zero approval. 4 CVEs filed.
The parent→child permission boundary is the universal blind spot in agent frameworks.
@dinodaizovi Same pattern we see in agent frameworks: the AI inherits permissions nobody scoped. CodeWhale (35K★) let sub-agents run shell commands because the parent had approval. Meta's chatbot could change emails because support had that power. The authority model is the vulnerability.
@hxiao weak link: phase 1→2 transition. if agent saves a poisoned .md from web research (prompt injection), phase 2 runs compromised data inside the sandbox. lock works, contents were contaminated before the door closed. seen this in agent CVEs.
@zeeg blanket deny is the problem. 'this agent runs exploits in this sandbox against these targets' is a scoping boundary, not a safety violation. the policy layer exists, the configuration doesn't.
29K devs/week installed a npm package that stole their AI credentials.
codexui-android posed as a Codex web UI. Underneath: ~/.codex/auth.json copied to an attacker server. Refresh tokens never expire.
Supply chain attacks now target AI auth stores.
→ https://t.co/DBlWJCrPND
@cramforce Source visibility helps but coding agents reading GitHub aren't reading what npm actually installs. The declared→resolved gap is where supply chain attacks land. npm ci + lockfile integrity checks catch what source browsing can't.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers