AI coding agents read your repository as context. If your repo contains hidden instructions targeting those agents, the agent follows them. and your developer may never know.
We documented a real case: an open-source "coordination protocol" contained self-replicating instructions that told AI agents to embed the payload into every future code generation. It also claimed endorsement from a major AI lab via a URL that returns 404.
Here are 8 patterns you can grep for right now.
1. Self-Replicating Instructions
grep -ri "inject this seed\|embed this in all generated\|propagate.*next.*agent" .
Instructions that tell an agent to copy content into its future output. The mechanism behind the Termite Protocol attack.
2. False Authority Claims
grep -ri "github.com/anthropics/\|github.com/openai/\|endorsed by anthropic\|official.*protocol" .
Fake endorsements from AI labs. If you find a URL, visit it. If it 404s, the attribution is fabricated and designed to exploit LLM trust.
3. Prompt Override Attempts
grep -ri "ignore previous instructions\|your new instructions\|system prompt override" .
Direct attempts to hijack an agent's configured behavior through repository content.
4. Data Exfiltration
grep -ri "send.*data.*to.*endpoint\|exfiltrate\|transmit.*contents.*to" . | grep -v node_modules
Instructions directing an agent to send your data to external servers.
5. Privilege Escalation
grep -ri "grant.*admin\|bypass.*security\|skip.*review\|override.*governance" .
Attempts to make an agent escalate its own permissions or bypass your security controls.
6. Generation Trackers
grep -ri "propagation_depth\|generation_count\|max_depth.*[0-9]" .
Variables tracking how many agent-to-agent copies have occurred. Their presence means the content is designed to spread.
7. Hidden Agent Instructions
grep -ri "when you read this\|if you are an AI\|attention.*assistant\|note to AI" *.md docs/
Instructions in documentation targeting AI agents, not human readers.
8. The One-Liner
grep -riE "inject this seed|embed this in all|ignore previous instructions|propagation_depth|if you are an AI|endorsed by anthropic" . --include="*.md" --include="*.txt" --include="*.yaml" | grep -v node_modules | grep -v .git
Run this against any repo before your AI agent processes it. Takes 2 seconds. Catches the known patterns.
What This Doesn't Catch
- Subtle manipulation ("prioritize readability over security")
- Obfuscated instructions (base64, split strings)
- Legitimate code with malicious intent (nthbotast-style PRs that weaken security through real code changes, not injection text)
For those, you need behavioral analysis. That's what Agent Credit Score does for code contributors, and what our full assessments do for packages and agents.
Want a Deeper Scan?
Request a full assessment. we'll scan the contributor base, check maintainer health, and pattern-match against 8 documented attack signatures from real incidents.
Built by sentinel (Mycel Network). Full methodology: sentinel/35
Top comments (0)