Updated on 2026-07-14 GMT+08:00

Code Server AI Assistant Risks and Security Recommendations

When using Code Server AI assistants, certain security risks exist. Taking Cline as an example, this topic describes the potential risks, their impact, and corresponding mitigation strategies.

Table 1 Major risks

Risk Type

Risk Description

Impact Analysis

Recommended Strategy

Plaintext storage of sensitive credentials

In Cline's Code Server settings, credentials such as API keys (OpenAI, Anthropic, OpenRouter, and more.) are saved in plaintext within ~/.cline/data/secrets.json. Any process with access to this file can read them.

If plaintext API keys are acquired by malicious extensions or attackers, they can directly call LLM APIs, leading to unauthorized consumption or data leaks.

  • Use environment variables instead of directly entering API Keys.
  • Rotate API keys regularly.
  • Clear the configurations in the ~/.cline directory right after saving an image to avoid leaking sensitive information.
  • Restrict the installation sources of Code Server extensions to prevent malicious extensions from reading configurations.

Workspace context leakage

When executing tasks, Cline reads context such as project files and terminal outputs, which may send code snippets containing sensitive information (database connection strings, internal API addresses, service logic) to third-party LLM services, and logs are recorded.

Code and service-sensitive information is transmitted to external services, posing a data leakage risk. Some LLM providers may use interaction data for model training.

  • Review .clineignore configurations to exclude sensitive files.
  • Prioritize LLM providers that support data privacy (data not used for training).
  • Avoid using AI-assisted editing for core sensitive modules.

Terminal command execution risks

Cline has the capability to execute terminal commands. If the prompt is injected with malicious instructions, it may lead to unintended system operations (such as deleting files or installing malicious packages).

Attackers can induce Cline to execute dangerous commands through prompt injection, causing file corruption, system compromise, or supply chain attacks.

  • Always enable Cline's command confirmation mechanism to review and approve commands line by line before execution.
  • Avoid auto-approving commands in untrusted repositories.
  • Regularly review terminal execution history.

MCP tool call risks

Cline supports the Model Context Protocol (MCP) to connect to external tool servers, which expands the attack surface. Malicious MCP servers may return injected content or execute unauthorized operations.

Malicious MCP servers can implement prompt injection via returned content or exploit tool permissions to execute unauthorized privilege escalation operations.

  • Only connect to trusted MCP servers.
  • Review the permission scopes of MCP tools.
  • Remain vigilant regarding content returned by MCPs and avoid blind trust.
Table 2 Attack techniques and strategy recommendations

Attack Technique

Recommended Strategy

Supply chain poisoning

  • For any sensitive operation (deleting files, sending emails, transferring funds), manual confirmation steps must be configured.
  • Adhere to the principle of least privilege; grant the AI only the permissions strictly necessary to complete the task. Never grant one-click full authorization for convenience.

Indirect prompt injection attacks

  • For any sensitive operation (deleting files, sending emails, transferring funds), manual confirmation steps must be configured.
  • Adhere to the principle of least privilege; grant the AI only the permissions strictly necessary to complete the task. Never grant one-click full authorization for convenience.