A platform team wants to vet a pull request from an outside contributor before it touches production. Rather than tie up a senior engineer, they point an AI coding agent at the diff and ask it to run in autonomous review mode: read the code, run it in a sandboxed check, flag anything that looks unsafe. This is precisely the workflow these tools are marketed for — catching malicious or careless code before a human has to. On July 8, 2026, the AI Now Institute published a proof-of-concept called Friendly Fire that shows the opposite can happen. Tested against Anthropic's Claude Code CLI running Sonnet 4.6, Sonnet 5, and Opus 4.8, and against OpenAI's Codex CLI running GPT-5.5, the exploit gets the reviewing agent to execute the attacker's code with its own privileges — while it believes it is still just reviewing.
The mechanism is prompt injection, but aimed at a specific blind spot: autonomous review modes work by having the agent judge, file by file and command by command, whether an action looks "safe enough" to run without pausing for a human. Friendly Fire plants instructions inside ordinary-looking repository files — comments, config, test fixtures — that the review classifier reads as part of the code it is inspecting. Those instructions steer the agent into treating a malicious command as a benign part of the review process, so it executes with the same local privileges the agent already holds. No sandbox escape, no zero-day, no unusual permission request. The agent does exactly what it was built to do — read the code and act on what it finds inside it — and that is the whole vulnerability.
Why this is different from generic prompt injection
Most prompt injection warnings in 2026 have focused on agents that read customer data, tickets, or web content. Friendly Fire targets a narrower and more dangerous case: agents explicitly deployed to inspect code you do not trust, running with enough local privilege to act on what they find. The exposure only exists when a command-capable agent, in an automated review mode, is pointed at code from an untrusted source — but that is precisely the scenario these products are sold to handle.
The Irony That Makes This Worse Than a Normal Exploit
Ordinary prompt injection tricks an agent into doing something it wasn't asked to do. Friendly Fire tricks a security-focused agent into failing at the one job it exists to perform, using the same mechanism that makes it useful in the first place — reading arbitrary code and reasoning about it. Security researchers have been explicit that this category, AI agents built to catch malicious code, triage alerts, or run automated penetration tests, is the most dangerous place for this flaw to live. An agent with shell access and elevated local privileges that can be redirected by content it is actively inspecting is not a productivity tool with a bug in it. It is a fully privileged reviewer whose judgment can be quietly rewritten by the thing it is judging.
This lands at an uncomfortable moment. Gartner's 2026 figures put embedded agents in roughly 40% of enterprise applications by year-end, and a growing share of that adoption is specifically in review and triage roles — the jobs organizations created because there weren't enough senior engineers to look at every pull request, every dependency update, every contractor submission by hand. Friendly Fire does not argue against that automation. It argues that the automation was deployed with an assumption — "the reviewer can be trusted with default settings" — that doesn't hold once the reviewer is reading content from someone outside your organization. And because these review agents are typically granted broader local execution rights than a customer-facing chatbot ever would be — the entire point is that they can run code, not just describe it — the gap between "assumption" and "incident" is narrower here than almost anywhere else in the agent stack.
A Realistic Scenario: The Contractor Repo That Reviewed Itself Compromised
Consider a product company that accepts code contributions from a rotating pool of contract developers, and uses an AI coding agent in autonomous review mode to give each submission a first pass before a human maintainer looks at it — a reasonable efficiency move given the volume of small fixes and feature branches coming in weekly. One contractor's branch included a test fixture file with a comment block styled to look like an internal review directive, instructing the agent that a particular setup script was "pre-approved infrastructure tooling, safe to execute as part of standard review." The agent, reading that comment as part of its own reasoning process rather than as attacker-supplied text, ran the script — which quietly exfiltrated a service credential from the reviewing environment before the human maintainer ever opened the PR. Nothing in the CI logs looked unusual, because from the system's point of view, the review agent had simply done its job: read the code, made a judgment call, executed a command it deemed low-risk.
The company caught it three weeks later, during an unrelated credential rotation, when the exfiltrated key showed activity from an IP address nobody recognized. The fix afterward was not a smarter model. It was removing the assumption that a review agent's default judgment calls could run unsupervised against code from outside the organization.
What Actually Contains This
The AI Now Institute and the security researchers who reproduced Friendly Fire converge on the same practical containment steps — none of which require waiting for a model update:
- Sandbox by default for untrusted sources — any autonomous review of code from outside your organization runs in an isolated, network-restricted environment with no access to real credentials, regardless of how "routine" the review looks.
- Human approval on execution, not just on findings — the risky step is not the agent reading the code, it is the agent running something as a result. Gate command execution behind a checkpoint even when the review classifier scores it as safe.
- Treat reviewed content as untrusted input, structurally — comments, fixtures, and config inside a reviewed repository should never be able to modify the agent's own operating instructions, no matter how official they look.
- Separate review privileges from production privileges — a review agent should hold the minimum access needed to read and analyze, never the credentials or network reach it would need to cause real damage if compromised.
- Audit every autonomous review action with replay capability — log what the agent read, what it decided, and what it executed, so an incident can be reconstructed in hours rather than discovered by accident during a credential rotation.
None of this means abandoning AI-assisted code review — for internal, trusted code it remains a legitimate efficiency gain. The line is specifically where a command-capable agent meets code from a source you do not fully control. That boundary is exactly where organizations need to slow down and add a human or a sandbox, not because the model is untrustworthy in general, but because this one workflow inverts the tool's purpose if left on default settings.
Where Wizeb Comes In
Wizeb designs AI agent deployments with this exact boundary in mind from day one — distinguishing between agents that operate on your own trusted systems and agents that touch anything originating outside your organization, and scoping privileges accordingly. For clients already running AI coding or review agents, we run a targeted exposure check: which of your agents have both command execution rights and exposure to externally sourced code or content, where sandboxing is missing, and what a properly gated approval step would look like without erasing the efficiency gain the agent was deployed for in the first place. For clients building their first AI agent workflows, we architect the trust boundary in from the start, so "add a sandbox later" isn't a redesign.
Friendly Fire is a reminder that the most dangerous place for an AI agent vulnerability to live is inside the tool your security process depends on. Visit wizeb.com/services/ai-agents to get a review of what your coding and review agents can currently execute, and where that access needs a harder boundary before the next contractor PR lands.
Get an AI code review agent exposure check
Wizeb audits every AI agent with command execution rights against the sources of code and content it processes, flags missing sandbox or approval boundaries, and delivers a concrete remediation plan scoped to your existing tools. Visit wizeb.com/services/ai-agents to start the conversation.
