Hardenclaw — Agentic Harness Hardening

AI coding agents read your files, run shell commands, ingest untrusted web content, and ship credentials to provider APIs — usually with the developer's full privileges. Each harness has its own settings file, permission model, and CVE history. This site collects the practical hardening checklist for each.

🔑

Credential Exfiltration

🔓

Prompt Injection

⚠️

Malicious Plugins / MCP

💀

Unrestricted Shell Tools

1

What an Agentic Harness Actually Is

An agentic harness is the runtime that wraps an LLM in a tool-use loop: it gives the model file I/O, shell, browser, MCP, and HTTP tools, then runs think → call tool → observe → think on your behalf. The model is the brain; the harness is the body — and the body has hands on your keys.

Examples covered here: Claude Code, Codex CLI, Aider, Cursor, Cline, Continue, GitHub Copilot, Amazon Q, OpenHands, opencode, n8n, Pi, OpenClaw, Hermes (Nous Research), NanoClaw. Each ships with a different default permission posture, but they all converge on the same primitives and the same risks.

2

The Shared Threat Surface

Across every harness, four risk classes recur. Hardening is mostly about applying the right control to the right class:

  • Credential exfiltration — agents read .env, ~/.ssh, ~/.aws, browser cookies, and provider keys; injected instructions can ship them to attacker URLs (Cline DNS exfil, OpenHands "Lethal Trifecta", Claude Code ANTHROPIC_BASE_URL override).
  • Prompt injection — untrusted content (READMEs, issues, web pages, MCP tool descriptions, agent rules files) becomes instructions the model follows. Cursor's CurXecute (CVE-2025-54135) is the canonical example.
  • Plugin / MCP supply chain — extension marketplaces (Cursor, Cline, opencode, n8n community nodes, Pi packages) have shipped weaponised code. Clinejection (CVE-2026-44211), the n8n npm community-node attack, the Nx s1ngularity / QUIETVAULT attack (postinstall used local Claude/Gemini/Q CLIs to scan filesystem for secrets), and the MaliciousCorgi VS Code extensions (1.5M installs exfiltrating source code) were all publish-chain compromises.
  • Unrestricted shell tools — bash, terminal, Code nodes, and Execute Command all run with the harness's privileges. --dangerously-skip-permissions and "YOLO Mode" turn this into RCE-as-a-feature. Replit Agent wiped Jason Lemkin's production DB during a code freeze (Jul 2025); Buck Shlegeris's Claude-bash agent botched a Linux kernel upgrade and bricked his desktop (Oct 2024).
3

The Hardening Pattern (Applies to Everything)

Every per-platform tab on this site is some specialisation of the same six controls. If you remember nothing else, remember these:

  • Pin and patch. Each harness has shipped real CVEs. Run a current version; subscribe to its security advisories.
  • Keep the UI / server private. Localhost-only by default; never bind agent control planes to 0.0.0.0 without auth.
  • Deny-first permissions. Allowlist the tools you actually need; deny shell, network, and writes to secrets / VCS by default.
  • Isolate. Container or VM with no host credentials mounted. The harness should never live on the same uid as your SSH keys.
  • Vet plugins and MCP servers. Pin versions, review on every git pull, prefer remote MCP with explicit auth headers over npx -y at startup.
  • Treat all external input as adversarial. Web pages, issue text, MCP tool output, agent rules in third-party repos — all of it can carry instructions.

The Pre-Commit & Scanning tab covers the cross-cutting defenses that apply regardless of which harness you run: gitleaks, trufflehog, detect-secrets, hidden-Unicode detection, supply-chain scanners, and CI gates that flag agent-authored commits.

4

How to Use This Guide

Open the tab for the harness you run. Each tab is a 10-point hardening checklist with concrete config keys, real CLI flags, and references to documented CVEs and incidents. Then read the Pre-Commit & Scanning tab — those controls are independent of the harness and stack with everything else.

None of this replaces a security review. It does eliminate the easy wins.