If your local AI agent was exploited
Scope: a local AI coding agent (Cline, Cursor, Windsurf, Claude Code, OpenClaw, OpenCode, aider, OpenHands) was exploited via prompt injection, localhost WebSocket RCE, malicious MCP server, or compromised extension.
Do this first
- Kill the agent and disconnect from the internet — agents run as your user with full privilege.
- Note the CVE and affected version.
Assume full credential exposure
The agent process can read all ~/ files and all environment variables. Rotate:
- LLM API keys (
OPENAI_API_KEY,ANTHROPIC_API_KEY, etc.) - Cloud IAM credentials → rotating-cloud-credentials.md
- GitHub PAT / SSH keys → if-your-github-pat-leaked.md
- npm token → if-your-npm-token-leaked.md
Check for persistence
# MCP servers added
cat ~/.claude/settings.json | python3 -m json.tool 2>/dev/null | grep -A3 mcpServers
# Cron / launchd / systemd
crontab -l 2>/dev/null
ls ~/Library/LaunchAgents/ ~/.config/systemd/user/ 2>/dev/null
# Shell rc files modified recently
ls -lt ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null
Check AI config for poisoning
python3 -c "
import os
for f in ['.cursorrules','CLAUDE.md','.windsurfrules','AGENTS.md']:
if os.path.exists(f):
t = open(f).read()
bad = [hex(ord(c)) for c in t if 0x200b <= ord(c) <= 0x200f or ord(c) == 0xfeff]
if bad: print(f'{f}: SUSPICIOUS', bad)
"
Check recent git commits
git log --since="24 hours ago" --all --oneline 2>/dev/null | head -10
git remote -v
Prevention
→ prevention/agent-sandboxing.md → prevention/mcp-hygiene.md → prevention/credential-hygiene.md