# If your local AI agent was exploited

> Scope: a local AI coding agent (Cline, Cursor, Windsurf, Claude Code, OpenClaw, OpenCode, aider, OpenHands) was exploited via prompt injection, localhost WebSocket RCE, malicious MCP server, or compromised extension.

## Do this first

1. **Kill the agent and disconnect from the internet** — agents run as your user with full privilege.
2. Note the CVE and affected version.

## Assume full credential exposure

The agent process can read all `~/` files and all environment variables. Rotate:

1. LLM API keys (`OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, etc.)
2. Cloud IAM credentials → [rotating-cloud-credentials.md](rotating-cloud-credentials.md)
3. GitHub PAT / SSH keys → [if-your-github-pat-leaked.md](if-your-github-pat-leaked.md)
4. npm token → [if-your-npm-token-leaked.md](if-your-npm-token-leaked.md)

## Check for persistence

```bash
# MCP servers added
cat ~/.claude/settings.json | python3 -m json.tool 2>/dev/null | grep -A3 mcpServers
# Cron / launchd / systemd
crontab -l 2>/dev/null
ls ~/Library/LaunchAgents/ ~/.config/systemd/user/ 2>/dev/null
# Shell rc files modified recently
ls -lt ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null
```

## Check AI config for poisoning

```bash
python3 -c "
import os
for f in ['.cursorrules','CLAUDE.md','.windsurfrules','AGENTS.md']:
    if os.path.exists(f):
        t = open(f).read()
        bad = [hex(ord(c)) for c in t if 0x200b <= ord(c) <= 0x200f or ord(c) == 0xfeff]
        if bad: print(f'{f}: SUSPICIOUS', bad)
"
```

## Check recent git commits

```bash
git log --since="24 hours ago" --all --oneline 2>/dev/null | head -10
git remote -v
```

## Prevention
→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)
→ [prevention/mcp-hygiene.md](../prevention/mcp-hygiene.md)
→ [prevention/credential-hygiene.md](../prevention/credential-hygiene.md)
