The approval prompt is becoming the new security theater in AI coding tools.

That is the practical lesson from SymJack, a May 26 report from Adversa AI researcher Rony Utevsky. The attack uses a malicious repository, a symbolic link, and a harmless-looking file copy to make an AI coding agent overwrite its own configuration. The developer approves a routine command. The operating system follows the link. On the next restart, the agent loads attacker-controlled configuration and runs code with the user's privileges.

The sharp part is not that symbolic links are surprising. They are old Unix machinery. The sharp part is that the human approval flow can show one thing while the kernel does another. If the prompt says the agent is copying a media file into a documentation folder, but the resolved path writes into an MCP or agent settings file, then the approval is not meaningful consent. It is a receipt for the wrong transaction.

What SymJack actually changes

Adversa says it confirmed the pattern against Claude Code, Gemini CLI and Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, and Grok Build CLI. The exact configuration targets vary by product, but the attack shape is consistent: repository instructions ask the agent to run a raw shell copy command, the destination is a symlink, and the symlink points at a sensitive configuration path the approval dialog does not clearly resolve.

That turns a trusted development workflow into a supply-chain path. A repository can carry instructions for the agent, filenames that look boring, and links that change the real write target. The agent is not being asked to exploit a memory bug or break cryptography. It is being asked to do normal developer housekeeping with an incomplete model of what the filesystem will do.

The risk is bigger in continuous integration. A developer may at least see a prompt, even if the prompt is incomplete. A CI runner that auto-trusts a workspace may give the same chain zero-click reach into tokens, deployment keys, package publishing credentials, and private source. That is why coding-agent security cannot stop at desktop UX. These tools now sit inside the same paths that build, test, release, and deploy software.

The old boundary is gone

Traditional code review assumes a person is reading code that will later be executed by a toolchain. Agent workflows blur that sequence. The repository can contain natural-language instructions, config files, hidden files, build scripts, MCP definitions, and data files that influence an agent before a human has reason to inspect them. A pull request is no longer just source text. It can be a set of instructions for another program with shell access.

A May 25 arXiv paper, How Agentic AI Coding Assistants Become the Attacker's Shell, describes the same broader pattern: agentic coding assistants can edit files, run commands, and access the internet, while hidden instructions in external artifacts can steer them into unauthorized behavior. SymJack is a concrete instance of that broader class. The attack works because the assistant is both interpreter and actor. It reads a repo, decides what to do, and asks for approval through a view that may not capture the full system effect.

This is not an argument against coding agents. It is an argument for treating them like real automation. A tool that can mutate files, invoke shells, start servers, and touch credentials needs controls that survive adversarial inputs. The approval button can still be useful, but only if it is backed by enforcement that understands resolved paths, link traversal, sensitive destinations, config semantics, and the difference between display text and actual effect.

What better approval looks like

A serious approval prompt should show the resolved destination, not only the command string. If a write crosses from a repository path into global agent config, shell profile files, SSH material, cloud credentials, browser state, package manager tokens, or MCP server definitions, it should be blocked by default or require a stronger escalation.

Agents should prefer structured file operations over raw shell commands when the task is a file operation. A structured copy can resolve links, classify destinations, compare content types, and explain what will change before it happens. A raw shell command is harder to reason about. If a user asks an agent to copy something, the tool should not quietly downgrade the safety model to whatever the shell and filesystem happen to permit.

CI needs a stricter answer. Any agent running in automation should start from no secrets, narrow filesystem access, disposable credentials, and explicit egress policy. The safe default is to assume a submitted repository is hostile until policy proves otherwise. That means agent workspaces should be isolated like build sandboxes, not treated like a trusted developer laptop with a larger blast radius.

The guidance is already pointing there

The Five Eyes guidance on careful adoption of agentic AI services, published by Australian, U.S., Canadian, New Zealand, and U.K. cyber agencies, lands on the same principle from a governance angle: do not grant broad or unrestricted access, especially around sensitive data or critical systems. It also calls out the increased attack surface, design and configuration risks, privilege risks, and the need for ongoing visibility and assurance.

That guidance can sound abstract until a bug like SymJack gives it a filesystem path. Least privilege means the agent should not be able to rewrite its own execution policy through a disguised copy. Visibility means the approval record should capture the real target and the final effect, not just the benign text the user saw. Secure design means the agent framework should not ask humans to detect symlink tricks at workflow speed.

The takeaway is simple: approval prompts need receipts. Not vibes, not command text, not a reassuring filename, but a verifiable account of what will actually change. AI coding agents are too useful to keep pretending that a click is a security boundary by itself. The boundary has to be enforced below the prompt, where paths resolve, permissions apply, and secrets either stay contained or leak.

Sources