April 20, 20262 min read

The Hidden Attack Surface Inside Every Coding Agent

Most teams still talk about coding agents as if they're just LLMs that write code. That misses the real security picture.

Diagram illustrating the distributed attack surface of a coding agent

Most teams still talk about coding agents as if they’re just LLMs that write code. That misses the real security picture.

A coding agent is not one asset. I find it more useful to think of an agent as a distributed execution surface, which from a security perspective means a distributed attack surface. Looking at OpenClaw makes that especially easy to see.

A Kanxue post I read this week described a real audit of a single environment containing:

  • 14 agent instances
  • 60 MCP servers
  • 189 skills/plugins
  • 10 API config sets
  • an SBOM with 383 software components

And that is exactly the point: even before you add MCPs and plugins, agents install packages, write files, execute shell, Python, and Node commands, and access configs, credentials, and secrets.

The researcher used an analogy of peeling an AI agent like a lobster. Odd image aside, the underlying point is sharp: You think you installed a single piece of software. In practice, you inherited an attack surface spread across directories, workspaces, MCP servers, plugins, configs, keys, and software dependencies.

When an organization says, “we deployed an agent,” what they often really deployed is a sprawl of workspaces, toolchains, configs, dependencies, and integrations, usually with way too much access. And that sprawl changes over time, as agents download, install, and build as they operate.

What I liked about the Kanxue post is not that it invents a brand-new category of risk. It doesn’t. What it does offer is a practical asset model for thinking about coding-agent security: Coding agents are not point assets. They are spread assets.

And the post does not stop at theory. It grounds that model in a concrete case study and a lightweight audit script for enumerating agents, MCPs, skills, configs, and SBOM components on a host.


If you’re running coding agents in an organization, a reasonable baseline is:

  1. Inventory agents and forgotten workspaces
  2. Map MCPs and identify high-privilege ones
  3. Review skills/plugins and verify provenance
  4. Centralize configs, keys, and model endpoints
  5. Generate SBOMs and assess inherited dependencies

This is where a mature agent security program starts.

The attack surface is already much wider than most organizations realize, and security teams need to focus on the execution surface, not just the model.