{"ID":6620522,"CreatedAt":"2026-07-15T01:01:48.440468303Z","UpdatedAt":"2026-07-17T01:52:36.034038722Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.12428","arxiv_id":"2607.12428","title":"Trust but Verify? Uncovering the Security Debt of Autonomous Coding Agents","abstract":"The increasing adoption of autonomous coding agents accelerates software development but also introduces scoped security risks within high-impact file paths that can outpace traditional human review capacity. While prior research has primarily evaluated these systems in terms of functional correctness and productivity, this paper presents a large-scale empirical study using the AIDev dataset to systematically characterize security code smells in agent-generated pull requests (PRs). Through a combination of a validated LLM-as-a-judge framework and manual qualitative analysis, we identify and classify security misconfigurations across 16,112 file changes spanning 4,022 pull requests. Our results reveal that 38.9% of agent-generated PRs contain at least one security smell, with supply chain integrity issues accounting for 82.3% of all detected security smells. Furthermore, hard-coded credentials constitute 99.6% of all critical-severity security smells. Crucially, we find that human collaborators are responsible for introducing 67.6% of genuine leaked secrets within these agent-assisted workflows, while existing automated and human review processes fail to detect 81.1% of these credentials prior to integration. These findings highlight substantial security risks in agent-assisted software development workflows and suggest a potential reduction in developer vigilance. They also underscore the urgent need for context-aware security guardrails implemented directly at the point of human-AI collaboration.","short_abstract":"The increasing adoption of autonomous coding agents accelerates software development but also introduces scoped security risks within high-impact file paths that can outpace traditional human review capacity. While prior research has primarily evaluated these systems in terms of functional correctness and productivity,...","url_abs":"https://arxiv.org/abs/2607.12428","url_pdf":"https://arxiv.org/pdf/2607.12428v1","authors":"[\"A H M Nazmus Sakib\",\"Dipayan Banik\",\"Murtuza Jadliwala\"]","published":"2026-07-14T06:59:41Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[\"Large Language Model\"]","has_code":false}
