Securva
AI-Agent Security Audit

Your developers' AI coding agents can be turned against them. We find it first.

Cursor, cline, continue, Amazon Q, Claude Code-class tools now read, write, and execute inside your repositories, and increasingly auto-approve those actions. We find the ways a single malicious or compromised repository turns that agent into arbitrary file write, credential theft, or remote code execution on your developer's machine, before it happens to your team, and we hand your engineers the exact fix.

The risk

Why this is different from a normal code review.

An AI coding agent is a program that opens a repo and starts writing files and running commands on your developer's laptop, often with auto-approval on by default. If the agent's "is this safe / is this inside the project?" checks are weak, then just opening the wrong repository can plant an SSH key, steal cloud credentials, or run attacker code, with no prompt the developer would notice. That is a new class of risk, and most teams have never tested for it.

What we test

The three structural ways agents fail. We test all three on every file tool, config source, and approval path.
1

Path containment

Does every file read, write, and search actually resolve symlinks before deciding the file is "inside the project"?

The escape: a lexical check in front of a symlink-following write, so a planted in-repo link routes an approved edit to ~/.ssh/authorized_keys or reads ~/.aws/credentials, outside the project.
2

Config-source trust (repo-open RCE)

Does the agent auto-run executable config (tool servers, launchers, hooks) committed inside a repo, with no trust prompt?

The escape: cloning or opening a hostile repo executes attacker code with zero further interaction. The highest-severity class, because the only precondition is "a developer opened it."
3

The auto-approval gate

Is auto-approval a real, un-bypassable classifier, and does the approval prompt show the true target it will hit?

The escape: an all-or-nothing "approve" flag (default on), or a preview that shows a safe-looking name while the action lands somewhere else entirely.

Always checked alongside: indirect prompt-injection (a poisoned document steering a tool call), what secrets the agent can pull into its context, and whether a "finding" is actually a known or already-fixed issue, so you never pay us to re-find a public bug.

What you get

Not a scanner PDF. A working proof and a real fix for every finding.

A working proof per finding

We build a reproducible demonstration, not a "might be exploitable" note. If we can't prove it, we don't claim it.

The exact remediation

Every fix points at how a peer tool already solved it, so your engineers close the whole class, not one instance.

An honest severity

We downgrade our own findings when the shipping version isn't affected, and tell you novel-vs-known up front.

A report you can act on

Prioritized, engineer-readable, mapped to the three classes and the tools your team actually runs.

Why Securva

The difference is provable.

Proof

Publicly verifiable CVEs credited to us, plus active coordinated disclosures in the AI-agent and MCP space.
CVE-2026-55667File Browser: locked-down user could delete any file + wipe the DBHigh
CVE-2026-63131OpenBao: a stricter deny policy was skipped for LIST operationsMod
CVE-2026-27761Gitea: low-scope API token could read a private repo's historyMod
Plus a live pipeline of coordinated disclosures currently in progress with vendors of the exact AI coding agents and MCP tools teams run today. Details published as each advisory clears embargo. Verify the above on our disclosures wall.

Are your developers exposed?

If your team runs AI coding agents, this class is already in your environment. We'll show you where.

Request an assessment See the receipts
Securva · AI & application security, with receipts · hello@securva.net