Securva
AI-Agent Security Audit
Your developers' AI coding agents can be turned against them. We find it first.
Cursor, cline, continue, Amazon Q, Claude Code-class tools now read, write, and execute inside your repositories, and increasingly auto-approve those actions. We find the ways a single malicious or compromised repository turns that agent into arbitrary file write, credential theft, or remote code execution on your developer's machine, before it happens to your team, and we hand your engineers the exact fix.
The risk
Why this is different from a normal code review.
An AI coding agent is a program that opens a repo and starts writing files and running commands on your developer's laptop, often with auto-approval on by default. If the agent's "is this safe / is this inside the project?" checks are weak, then just opening the wrong repository can plant an SSH key, steal cloud credentials, or run attacker code, with no prompt the developer would notice. That is a new class of risk, and most teams have never tested for it.
What we test
The three structural ways agents fail. We test all three on every file tool, config source, and approval path.
1
Path containment
Does every file read, write, and search actually resolve symlinks before deciding the file is "inside the project"?
The escape: a lexical check in front of a symlink-following write, so a planted in-repo link routes an approved edit to ~/.ssh/authorized_keys or reads ~/.aws/credentials, outside the project.
2
Config-source trust (repo-open RCE)
Does the agent auto-run executable config (tool servers, launchers, hooks) committed inside a repo, with no trust prompt?
The escape: cloning or opening a hostile repo executes attacker code with zero further interaction. The highest-severity class, because the only precondition is "a developer opened it."
3
The auto-approval gate
Is auto-approval a real, un-bypassable classifier, and does the approval prompt show the true target it will hit?
The escape: an all-or-nothing "approve" flag (default on), or a preview that shows a safe-looking name while the action lands somewhere else entirely.
Always checked alongside: indirect prompt-injection (a poisoned document steering a tool call), what secrets the agent can pull into its context, and whether a "finding" is actually a known or already-fixed issue, so you never pay us to re-find a public bug.
What you get
Not a scanner PDF. A working proof and a real fix for every finding.
A working proof per finding
We build a reproducible demonstration, not a "might be exploitable" note. If we can't prove it, we don't claim it.
The exact remediation
Every fix points at how a peer tool already solved it, so your engineers close the whole class, not one instance.
An honest severity
We downgrade our own findings when the shipping version isn't affected, and tell you novel-vs-known up front.
A report you can act on
Prioritized, engineer-readable, mapped to the three classes and the tools your team actually runs.
Why Securva
The difference is provable.
- We do this at the CVE level, not the checklist level. Our researchers find and responsibly disclose real vulnerabilities in widely-used software, with published CVEs to prove the skill is real.
- A codified, repeatable method, not a heroic one-off. The same three-class discipline runs on every engagement, so it scales and stays consistent.
- Remediations that point at shipped fixes. We don't just tell you it's broken, we show you the working pattern that closes it.
- Intellectual honesty as a feature. We tell you novel-vs-known and what is and isn't exploitable before you spend a dollar. That is rare, and it's the point.
Proof
Publicly verifiable CVEs credited to us, plus active coordinated disclosures in the AI-agent and MCP space.
CVE-2026-55667File Browser: locked-down user could delete any file + wipe the DBHigh
CVE-2026-63131OpenBao: a stricter deny policy was skipped for LIST operationsMod
CVE-2026-27761Gitea: low-scope API token could read a private repo's historyMod
Plus a live pipeline of coordinated disclosures currently in progress with vendors of the exact AI coding agents and MCP tools teams run today. Details published as each advisory clears embargo. Verify the above on our disclosures wall.