Code Server AI Assistant Risks and Security Recommendations
When using Code Server AI assistants, certain security risks exist. Taking Cline as an example, this topic describes the potential risks, their impact, and corresponding mitigation strategies.
| Risk Type | Risk Description | Impact Analysis | Recommended Strategy |
|---|---|---|---|
| Plaintext storage of sensitive credentials | In Cline's Code Server settings, credentials such as API keys (OpenAI, Anthropic, OpenRouter, and more.) are saved in plaintext within ~/.cline/data/secrets.json. Any process with access to this file can read them. | If plaintext API keys are acquired by malicious extensions or attackers, they can directly call LLM APIs, leading to unauthorized consumption or data leaks. |
|
| Workspace context leakage | When executing tasks, Cline reads context such as project files and terminal outputs, which may send code snippets containing sensitive information (database connection strings, internal API addresses, service logic) to third-party LLM services, and logs are recorded. | Code and service-sensitive information is transmitted to external services, posing a data leakage risk. Some LLM providers may use interaction data for model training. |
|
| Terminal command execution risks | Cline has the capability to execute terminal commands. If the prompt is injected with malicious instructions, it may lead to unintended system operations (such as deleting files or installing malicious packages). | Attackers can induce Cline to execute dangerous commands through prompt injection, causing file corruption, system compromise, or supply chain attacks. |
|
| MCP tool call risks | Cline supports the Model Context Protocol (MCP) to connect to external tool servers, which expands the attack surface. Malicious MCP servers may return injected content or execute unauthorized operations. | Malicious MCP servers can implement prompt injection via returned content or exploit tool permissions to execute unauthorized privilege escalation operations. |
|
| Attack Technique | Recommended Strategy |
|---|---|
| Supply chain poisoning |
|
| Indirect prompt injection attacks |
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot