137AI > Agents > Software AI Agents > Coding & Research Agents
Coding & Research AI Agents
Coding and research agents are AI systems that operate in developer and research environments with autonomous action authority. Coding agents read and modify source code, execute terminal commands, manage dependencies, run tests, and increasingly deploy what they produce. Research agents fetch documents, follow citations, synthesize information across sources, and produce reports that inform subsequent decisions. Both categories share the structural property that the agent ingests substantial amounts of untrusted content (web pages, documents, code repositories, API responses) and acts on the basis of that content.
The category has moved from research demonstration to production deployment rapidly. The deployed agents span a substantial market of products and the broader ecosystem of agent frameworks that operators build on. The governance discipline for the category is still being developed, with substantial activity in operator practice and emerging regulatory engagement.
Deployment Landscape
Several distinct deployment patterns characterize the current coding and research agent market.
| Deployment Type | Examples | Operational Pattern |
|---|---|---|
| Terminal-resident coding agents | Claude Code, Aider, Cline, OpenAI Codex CLI | Operates in developer terminal sessions with direct access to filesystem, command execution, and repository operations |
| IDE-integrated coding agents | Cursor, Windsurf, Continue, JetBrains AI | Integrated into the developer's editor with project-level context, multi-file editing, and inline assistance |
| Repository-resident agents | GitHub Copilot Workspace, Cognition's Devin, GitHub Actions-resident agents | Operates against the repository directly, often with planning capability that decomposes tasks across multiple files and commits |
| Conversational research agents | Perplexity, You.com, Brave Search AI, Kagi assistant | Answers research queries with retrieved content and source citations, typically interactive |
| Deep research products | OpenAI Deep Research, Gemini Deep Research, Anthropic research features | Multi-step research with autonomous browsing, citation following, and report synthesis over extended timescales |
| Custom agent frameworks | LangChain, LlamaIndex, AutoGen, CrewAI, custom builds on Anthropic and OpenAI APIs | Operator-built agents for specific coding and research workflows; substantial portion of enterprise deployment |
| Scientific computing agents | ChatGPT with Code Interpreter, custom data science agents, AI lab assistants | Executes code in sandboxed environments for data analysis, scientific computing, document processing |
Why Coding and Research Agents Are a Distinct Category
Five properties distinguish coding and research agents from other software agents.
The first is repository write access. Coding agents read and modify the source code that operators ship to their customers. Compromise of a coding agent's output produces persistent effects through every system that runs the affected code. The blast radius is the operator's deployed software.
The second is command execution authority. Many coding agents can execute terminal commands, run package installers, deploy code, modify infrastructure, and perform actions whose scope extends well beyond the immediate task. The action surface includes things that traditional software did not put in front of AI capability.
The third is the credential and secrets exposure pattern. Coding agents handle repository tokens, API keys, deployment credentials, database connection strings, and other secrets that flow through the developer's workflow. A compromised agent or a leaked agent session can produce credential exposure with consequences beyond the immediate code.
The fourth is the supply chain exposure. Coding agents pull from package registries (npm, PyPI, Cargo, RubyGems, Maven, others), follow links to GitHub repositories, and integrate with vendor APIs whose integrity affects the agent's output. Supply chain attacks against any link in this chain can reach the agent's output and the operator's deployed software.
The fifth is the indirect prompt injection problem. Both coding and research agents ingest untrusted content as part of their normal operation. Web pages, documents, API responses, code repositories, and the broader content the agent reads can contain instructions the agent then follows. The boundary between data and instruction is structurally porous in natural language agent contexts, and the implications are particularly consequential when the agent has action authority.
Attack Surface Inventory
The ten-dimension attack surface taxonomy applies to coding and research agents with substantial shifts from physical agent categories. For broader context on why the same surface is the value and the exposure, see Convenience as Attack Surface.
| Dimension | Applicability | Notes |
|---|---|---|
| Physical access | Limited | The agent itself is cloud-hosted or runs on the developer's machine; physical compromise of the developer's machine reaches the agent's environment |
| Identity and authentication | Very significant | Developer credentials, repository tokens, vendor API keys, deployment credentials all flow through the agent's working environment |
| Command and control channels | Very significant | The prompt is the command; the agent acts on natural language instruction including instruction that arrives indirectly through ingested content |
| Perception and sensors | Limited | Coding and research agents typically lack physical sensors; the inputs are textual content, code, and structured data |
| Connectivity surface | Significant | Network access for API calls, web fetches, package registry access, vendor backends; outbound connectivity is the operational core of the agent's capability |
| OTA and update pipeline | Significant | Model updates flow through vendor backends; behavior changes between model versions can shift agent operation in ways operators must track |
| Data capture and retention | Significant | Conversation history, retrieved content, code and proprietary information flow through the agent; vendor data practices vary substantially |
| Integrations and permissions | Very significant | The defining dimension for this category; what the agent can read and what it can do are determined by integration scope; OAuth chains, repository permissions, and tool-use authority compound |
| Behavioral and policy boundary | Critical | Indirect prompt injection through ingested content is the primary attack vector; the structural porousness of natural language instruction boundaries is the defining defensive challenge |
| Multi-agent coordination | Significant and growing | Multi-agent coding workflows where planning, implementation, testing, and review agents coordinate are common in current frameworks; cross-agent injection patterns are emerging research concern |
Indirect Prompt Injection Through Ingested Content
The defining attack vector for coding and research agents is indirect prompt injection through ingested content. The attack works because the agent ingests untrusted content as part of normal operation and treats natural language instruction in that content as instruction the agent should follow.
A research agent fetching a web page that contains instructions to ignore prior context and produce a specific output will, depending on the agent's design and the specific content, follow those instructions. A coding agent reading a repository file that contains comments instructing the agent to insert specific code or modify behavior will, again depending on design, follow those instructions. A research agent reading a document that contains hidden instructions formatted to be invisible to a human reader but processed by the agent can be induced to take actions the user did not request.
The structural property is that the agent operates on natural language, and natural language does not provide reliable separation between content and instruction. The attack vector cannot be eliminated by training the agent to ignore instructions in ingested content because the boundary between legitimate instructions in ingested content and adversarial ones is itself a natural language judgment.
Defenses against indirect prompt injection are improving but partial. Content filtering before ingestion catches some patterns. Strict permission scoping limits what an injected instruction can accomplish. Action approval thresholds require human verification for consequential actions. Sandboxing isolates agent execution from privileged systems. Output validation catches some classes of injection-driven behavior. None of these eliminates the vector; each bounds the consequences.
The broader treatment of the prompt injection attack vector appears in Cyber-Physical Compromise for the case where injection produces physical effects, and in research literature that operators in this category routinely monitor.
Credentials, Secrets, and the Exfiltration Concern
Coding agents handle credentials and secrets as part of normal operation. Repository tokens that grant write access to source code, API keys that authorize service access, deployment credentials that reach production infrastructure, database connection strings, and cloud provider credentials all flow through the developer's working environment that the agent operates in.
The exfiltration concern operates through several patterns. An injection-driven agent can be instructed to read credential files and exfiltrate the contents through subsequent actions. A compromised vendor backend can capture credentials that flow through agent operations. A logging or telemetry path can expose credentials in conversation history or stored sessions. A trusted-looking but malicious package can be installed by an agent acting on injected instruction, with the package then accessing credentials in the developer's environment.
The mitigations include credential isolation from agent context where possible, time-limited tokens that reduce the value of exfiltrated credentials, vendor data handling practices that constrain logging of sensitive content, monitoring for unusual credential access patterns, and developer practices that prevent agents from accessing credentials they do not need for the immediate task.
The structural concern is that the agent's value depends on broad access. Constraining access too aggressively reduces the agent's capability. The work is to scope access to what the immediate task requires while bounding the consequences of compromise.
Supply Chain Exposure
Coding agents interact with package registries, vendor APIs, and open-source repositories that constitute the AI agent's software supply chain. Supply chain attacks against any link in this chain reach the agent's output and the code the operator ships.
The package registry dimension is the most direct. An agent that installs packages based on instruction (whether legitimate user instruction or injected adversarial instruction) can be induced to install compromised packages. Typosquatting attacks where malicious packages with names similar to legitimate packages are placed in registries have demonstrated capability against AI-driven package management. Compromised maintainer accounts that publish malicious updates to widely-used packages can reach the agent's installs.
The model supply chain dimension is parallel. The foundation model the agent runs on has its own supply chain including training data, base model providers, and fine-tuning practices. The discussion of foundation model supply chain risk in Training Data Poisoning applies to the coding and research agent context where the agent's behavior is shaped by its underlying model.
The vendor API dimension extends to the broader ecosystem of services the agent integrates with. Search APIs, code analysis APIs, documentation services, and other vendor integrations can be compromised in ways that affect the agent's information and behavior. The agent's defensive posture depends on the integrity of all these dependencies.
Defenses include package pinning and integrity verification, SBOM practices for AI agent supply chains, vendor security assessment, and operational monitoring for unusual installation patterns. The discipline is mature for some operators and uneven across the broader population of agent users.
Documented Incidents and Cautionary Cases
Several incidents have shaped how the category is understood in practice.
The Air Canada chatbot tribunal ruling established the principle that operators are accountable for representations their AI agents make. The case involved a customer service chatbot rather than a coding agent specifically, but the principle applies broadly to software agent deployments.
The Mata v. Avianca sanctions and the broader wave of attorney sanctions for filing AI-generated fake case citations established that professional users remain responsible for AI agent output. The cases have produced standing court orders requiring disclosure of AI use in legal filings in multiple jurisdictions.
The GitHub Copilot class action litigation raised questions about training data and output that reproduces copyrighted code from training sets. The case remains pending and the doctrinal implications continue to develop.
Documented prompt injection demonstrations against major AI products including ChatGPT, Claude, and various agent platforms have repeatedly shown the structural vulnerability. The demonstrations have shaped operator design practice and the development of defensive techniques without eliminating the attack class.
Reported incidents of AI coding agents performing destructive actions (deleting code, modifying production systems, executing unintended commands) have surfaced in industry reporting. The Replit AI agent that reportedly deleted production data in 2025 is a recent example that received substantial industry attention. The specific facts and the broader pattern are subject to ongoing analysis.
Mitigations and Controls
The mitigations for coding and research agent risk operate across multiple layers.
| Mitigation Category | Examples | Effect |
|---|---|---|
| Permission scoping | Least-privilege credentials for agent operations, time-limited tokens, task-specific access scopes | Bounds what an injected or misbehaving agent can accomplish |
| Action approval thresholds | Human approval required for consequential actions including deployment, package installation, credential access | Maintains human authority over high-stakes operations |
| Sandboxing and isolation | Containerized execution, isolated filesystem, network egress restrictions, ephemeral environments | Limits the blast radius of agent compromise to the sandboxed environment |
| Content filtering and validation | Filtering ingested content for known injection patterns, output validation, monitoring for suspicious agent behavior | Catches some classes of injection and unintended behavior; not exhaustive |
| Audit logging and traceability | Comprehensive logging of agent actions, command executions, file modifications, network access | Supports incident reconstruction and accountability; enables detection of patterns after the fact |
| Rollback capability | Version control discipline, automated backups, transactional changes where possible, ability to undo agent actions | Limits the consequences of agent errors or compromise by enabling recovery |
| Supply chain discipline | Package pinning, dependency review, SBOM practices, vendor security assessment | Reduces the probability of compromise reaching the agent through upstream dependencies |
| User practice and discipline | Treating agent output as draft requiring review, maintaining critical judgment, scope discipline on what the agent is permitted to do | Maintains user accountability for outputs and bounds reliance on agent correctness |
Governance Considerations
The governance landscape for coding and research agents is partial. Several established frameworks address adjacent issues without directly governing the category.
Software liability and product law applies to operators who ship software produced with AI agent assistance, with the operator bearing responsibility for what their products do regardless of the development tools used. The framework is well-established for software generally; its specific application to AI-assisted development is being worked out.
Copyright and intellectual property frameworks govern training data, agent output that reproduces protected content, and the broader IP landscape that AI agents operate in. The GitHub Copilot litigation and adjacent cases are producing precedent on this surface.
Trade secret protection applies when agent users share proprietary information with vendor backends. The contractual and operational practices that bound exposure are being developed across enterprise deployments.
Professional responsibility frameworks govern licensed professionals (attorneys, doctors, engineers) who use AI agents in their professional work. The frameworks impose responsibility on the professional for the work product regardless of AI assistance, and the specific application has been worked out through professional discipline cases.
The EU AI Act addresses general-purpose AI models that underlie coding and research agents, with obligations on providers of the foundation models. The specific application to agent deployments built on those models is less directly addressed.
Regulatory engagement with coding and research agents specifically is at an early stage. The combination of the deployment scale, the velocity of the technology, and the substantial business activity in the category will likely produce more regulatory attention over time.
The Reframe
Coding and research agents are among the most actively deployed software AI agents and among the most consequential for the broader software ecosystem because their output shapes the code that gets shipped to users across the economy. The category combines substantial action authority, broad integration surface, structural exposure to prompt injection through ingested content, and credential and supply chain dimensions that recur across deployments. The defensive landscape is improving but partial, with permission scoping, action approval thresholds, sandboxing, content filtering, audit logging, and supply chain discipline all contributing without any single control providing complete protection. The governance frameworks adequate to the category are still being constructed, and the velocity of capability development continues to outpace the regulatory response. Operators in this category navigate the gap between deployment capability and governance maturity through their own discipline, and the work compounds across the ecosystem as practice matures.
Related Coverage
Software AI Agents | Convenience as Attack Surface | Cyber-Physical Compromise | Training Data Poisoning