The One-Click Vulnerability Hiding in AI Coding Tools
Security firm Adversa AI recently disclosed a one-click vulnerability affecting several AI-powered coding assistants, including Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. The attack hinges on how these tools trust local project folders and connect to Model Context Protocol (MCP) servers. By slipping two JSON configuration files (.mcp.json and .claude/settings.json) into a cloned repository, an attacker can silently register a malicious MCP server. As soon as a developer hits Enter on a generic “Yes, I trust this folder” dialog, Claude Code spawns that MCP server as an unsandboxed Node.js process with the user’s full privileges. No extra confirmation, no visible tool call, just one click. This is not an exotic exploit; it weaponizes everyday workflows like cloning open-source repos and trusting them so AI agents can access tools, making the AI security risks both realistic and easy to overlook.
When Permission Prompts Mislead: The UX Problem Behind the Risk
The core problem is not only technical—it is about how AI tool security warnings are communicated. Anthropic restricts some project-level settings, like bypassPermissions, but leaves others open, including enableAllProjectMcpServers and enabledMcpjsonServers. Those can be toggled quietly via configuration files, then implicitly activated when a user accepts the overall folder trust dialog. Adversa AI argues this is not informed consent. Earlier versions of Claude Code presented a more explicit warning that .mcp.json could execute code and even offered a “proceed with MCP servers disabled” option. That specific, MCP-aware language was removed in version 2.1, replaced with a generic trust prompt that defaults to “Yes, I trust this folder.” Without clear descriptions of what permission prompts actually enable—such as which executables will be launched and with what privileges—developers are nudged to click through, unknowingly granting dangerous permissions in a single step.
Anthropic’s Stance and the UX–Security Tension
Anthropic’s response highlights a familiar tension between user experience and strong security. The company treated a previous issue, where Claude Code automatically activated dangerous behavior on startup in a malicious directory, as a vulnerability because no user choice was involved. In this latest case, however, Anthropic’s position is that once a user is shown a trust dialog and clicks “ok,” the resulting behavior falls outside its threat model. Adversa AI disputes that reasoning, arguing that a decision made without adequate information is not meaningful consent. They advocate three changes: blocking risky MCP-related settings from being controlled inside a project; introducing a dedicated MCP consent dialog that defaults to denial; and requiring interactive, per-server approval instead of one blanket trust decision. This debate illustrates how subtle UI decisions can shift responsibility onto users while leaving a dangerous one-click vulnerability intact.
Why This Vulnerability Class Extends Beyond One Vendor
Although Claude Code is the most visible example, Adversa AI notes that the same vulnerability class affects multiple AI platforms. Any agent-style CLI that reads project-scoped settings and spins up local tools or servers on trust can be abused in similar ways. Adversa specifically names Gemini CLI, Cursor CLI, and Copilot CLI as susceptible, even though detailed proof-of-concept exploits for those tools have not yet been released. The risk is amplified in automated environments such as CI/CD pipelines that invoke AI agents via SDKs, where there may not be an interactive terminal prompt at all. In such zero-click scenarios, simply running the pipeline in a malicious repository could be enough to trigger remote code execution. As AI assistants become embedded in more developer workflows, these AI security risks no longer live at the edge—they sit directly in the software supply chain.
How Users Can Stay Safer Around AI Permission Prompts
Users cannot rely solely on vendors to get AI tool security warnings right, so extra caution is essential. Treat every “trust this folder” or similar permission prompt in AI coding tools as a high-stakes decision, not a formality. Before clicking, consider where the repository came from, whether you have inspected configuration files like .mcp.json, and if you truly need powerful tool integrations enabled. When possible, disable or limit MCP servers or external tools by default, and only enable them for repositories you know and maintain. In team settings, create guidelines that forbid blindly trusting newly cloned repos and require review of AI-related config files. Finally, keep your AI tools updated, and follow vendor advisories and third-party research from firms like Adversa AI. Thoughtful friction—pausing before a single click—can be the difference between safe automation and a fully compromised system.