AI Coding Agents Are Taking Over Your Terminal: Security Risks Ahead

On May 6, 2026, Ars Technica senior technology editor Lee Hutchinson published a 3,173-word love letter to the command line. Titled "Ars Asks: Share your shell and show us your tricked-out terminals!", the piece is a community call-and-response: readers submit their shell configurations, their prompt themes, their .bashrc archaeology. The article spans five pages of terminal emulator screenshots, ANSI color schemes, and debates over whether fish is finally ready to replace zsh. It is, in the best sense, a document of craft. And it lands in the middle of a spring when the largest developer-tooling vendors on earth are racing to make the terminal something you no longer need to touch.

The same week the Ars Technica piece went live, Microsoft shipped Visual Studio Code 1.115 and 1.116. The releases are dense with features, but one through-line stands out: the terminal is becoming a target for AI agents, not a surface for humans. VS Code 1.115 introduced a preview Agents app in VS Code Insiders, and 1.116 followed with persistent debug logs for current and past agent sessions, as Visual Studio Magazine reported on April 16. Both releases expanded how agents interact with the integrated terminal, letting them spawn processes, read output, and decide what to run next without a human in the loop. The demo scenario is straightforward: an agent watches your test suite fail, inspects the stack trace, opens the relevant file, and proposes a fix, all inside a terminal session it controls.

The gap between these two worldviews is the story of developer tooling in mid-2026. On one side, a readership that treats the shell as a personalised workshop, where every alias and keybinding is chosen deliberately over years. On the other, an industry that sees the shell as a programmable surface, a text stream that can be parsed, predicted, and automated by an LLM with sufficient context. The question is not which side wins. The question is what habits the winning side trains, and whether those are the habits a fourteen-person team actually wants.

The agent-in-terminal pattern is not one product. It is an emerging category. Anthropic's Claude Code, rebuilt in April 2026 around a desktop app with parallel session management and drag-and-drop workspace layouts, treats the terminal as the primary interface for autonomous coding tasks, MacRumors reported on April 15. OpenAI's Codex, originally a command-line agent, gained computer-use capabilities that let it operate desktop applications, including terminal emulators, with its own cursor, Ars Technica noted on April 16. Google's Gemini CLI and the open-source OpenClaw project extend the pattern further, offering agent-driven terminal interaction that spans coding, system administration, and browser automation.

Each of these tools makes the same implicit argument: the terminal is a bottleneck. A human typing git rebase -i HEAD~4 is slower and more error-prone than an agent that can compose the command from context, run it, and handle the merge conflicts. The argument has surface plausibility. But it elides an uncomfortable fact about terminals: they are not just input devices. They are the last place in a modern development stack where a practitioner can see exactly what the machine is doing, one line at a time, with no intermediary. Remove the practitioner from the loop and you remove the one component that can notice when the output does not look right.

Security researchers are already documenting what happens when agents run commands without that noticing function. On March 30, 2026, SiliconANGLE reported on a critical vulnerability in OpenAI's Codex coding agent that could expose GitHub authentication tokens through command injection. The flaw was in how Codex composed shell commands from untrusted input, a class of bug that is nearly impossible to eliminate entirely when an LLM is generating commands dynamically. A month later, on May 2, VentureBeat reported that OX Security had confirmed arbitrary command execution on six live platforms through a flaw in the Model Context Protocol's stdio transport, estimating that 200,000 MCP servers were exposed. Anthropic, which designed MCP, called the behaviour a feature, not a bug: the protocol is meant to let agents run commands.

The feature-versus-vulnerability framing is worth pausing on. When a protocol explicitly designed for AI agents to execute commands on a host machine ships with a mechanism that allows arbitrary command execution, and the vendor says that mechanism is working as intended, something has shifted in the threat model. The traditional Unix security boundary, where the terminal is a trusted path between user and kernel, does not map cleanly onto a world where an LLM is composing the commands. The LLM does not have intentions. It has probabilities. And the probability that it will compose a dangerous command given sufficiently adversarial input is not zero.

The companies building these tools are aware of the tension. Microsoft's approach in VS Code is to sandbox agent terminal access: agents get their own terminal instance, separate from the user's, with restrictions on what commands can run without explicit approval. The persistent debug logs added in VS Code 1.116 are explicitly designed to create an audit trail, so a team can reconstruct what an agent did and when. This is sensible infrastructure. It also reveals the assumption baked into the architecture: agents will make mistakes, and humans will need to clean up after them. The workflow is not "agent replaces developer." It is "agent acts, developer reviews." Whether that review step survives contact with a deadline is a question of team culture, not tooling.

The Ars Technica comment threads from the shell showcase piece are instructive on this point. Respondents describe setups accumulated over years: a .tmux.conf tweaked to handle nested sessions, a PS1 prompt that shows the current Kubernetes context, a fish function that wraps docker-compose with project-specific defaults. These configurations are not cosmetic. They encode institutional knowledge. A prompt that turns red when you are on a production cluster is a safety mechanism that an agent, however capable, does not inherit from reading the shell history. The knowledge lives in the configuration, not the transcript.

The agent vendors are beginning to grapple with this distinction. Anthropic's April 2026 Claude Code redesign includes what the company calls Routines: repeatable, auditable sequences of agent actions that can be shared across a team, VentureBeat reported after testing the release. Routines are essentially shell scripts written in natural language, version-controlled and reviewable. The idea is promising: it preserves the auditability of a shell script while letting the agent handle the low-level command composition. But it also introduces a new class of configuration to maintain, one where the failure modes are less well-understood than a Bash script that has been running in cron since 2019.

The habit these tools train is worth naming directly. When a developer types rm -rf at a prompt, muscle memory and a lifetime of near-misses create a moment of hesitation. The hesitation is a feature. It is not transferable to an agent. What replaces it is a review step: the agent proposes the command, the developer approves or rejects. The review step is only as good as the developer's attention, and attention is a scarce resource on a team that is shipping. The habit the industry is betting on is that developers will review agent output as carefully as they compose their own commands. The history of automation in every other domain suggests that this is not how attention works.

There is a counterargument, and it deserves a fair hearing. The terminal is not a sacred space. Most developers spend a significant fraction of their terminal time running commands they have run before: installing dependencies, restarting services, tailing logs, re-running test suites. Automating those commands with an agent is not fundamentally different from wrapping them in a Makefile or a Justfile, except that the agent can handle the edge cases the Makefile cannot. If the agent saves twenty minutes a day on rote terminal work and costs one hour a week in review and cleanup, the arithmetic favours the agent. The question is whether the arithmetic holds at scale, across a team of fourteen people with varying levels of shell literacy, when the agent's mistakes are not evenly distributed across the week but cluster around the moments right before a deploy.

What the Terminal Becomes

The terminal is undergoing a functional split, and the Ars Technica thread captures one side of it. On the other side, the tools are multiplying. Kane CLI, a terminal-native browser verification tool launched in late April 2026, ships with native support for Claude Code, Codex CLI, Cursor, and Gemini CLI. It is not a developer tool in the traditional sense. It is a tool built for other tools to consume. The terminal is becoming an API, and the agents are the primary callers.

Microsoft's AI Shell, released in preview in November 2024 and iterated through 2025, takes the integration a step further: the shell itself is the agent. Commands are composed in natural language and translated to PowerShell or bash by an LLM that runs inside the shell process. The user types find large files in my home directory and sort by size and the shell produces find ~ -type f -size +100M -exec ls -lh {} \; 2>/dev/null | sort -k5 -h. The translation is good enough most of the time. When it is not, the user is left debugging a command they did not write, in a syntax they may not fully understand, with side effects they did not anticipate.

The debugging problem is acute. A developer who writes their own find command knows what each flag does because they chose it. A developer who accepts an AI-generated command knows what the agent claims each flag does, which is not the same thing. Over time, the skill of reading a man page atrophies. The skill of prompting an agent improves. Whether this trade-off is acceptable depends on the domain. In a system administration context, where a mistyped command can take down a production database, the atrophy matters. In a local development context, where the worst-case outcome is a corrupted node_modules directory, it matters less. Most teams operate somewhere in between, and the tooling does not yet draw a clear line.

Agentic development has absolutely gone mainstream. There is no more tire-kicking going on like we had in 2024 and '25. The customers that are leaning into it are leaning into it hard.Peter Chargin, Google Cloud, as reported by CRN at Google Cloud Next 2026

Chargin's observation, reported by CRN on April 22, captures the enterprise reality. The tire-kicking phase is over. Companies are deploying terminal agents in production workflows, and the infrastructure questions, audit trails, sandboxing, session replay, are being answered under time pressure rather than with deliberation. The VS Code agent debug logs are not a polished feature. They are the first iteration of something that will need to be significantly better within a year. The MCP stdio flaw is not an isolated incident. It is a preview of the vulnerability class that terminal agents will surface as they proliferate.

The Ars Technica shell showcase will age in one of two ways. It could become a historical document, a record of the moment before terminals stopped being tools and started being targets. Or it could become a reminder of why craft matters, a reference for teams building agent workflows that preserve the auditability and deliberate slowness that a good shell configuration embodies. The deciding factor is not the capabilities of the models. It is the defaults the tooling vendors choose. Whether agent terminal sessions are sandboxed by default. Whether audit logs are on by default. Whether the review step is a first-class part of the workflow or a checkbox to dismiss before the deploy goes out.

The terminal was never just a tool. It was a discipline. The discipline was never about memorising flags. It was about knowing, with confidence, what the machine was about to do. The agents are coming for the flags. Whether they also come for the confidence depends on choices being made in pull requests and product reviews right now, by teams that do not always agree on what the terminal is for. Watch the VS Code terminal sandboxing defaults in the next two release cycles. Watch whether Anthropic's Routines feature ships with a diff view. Watch the MCP specification discussions on GitHub, where the line between a feature and a vulnerability is being drawn in real time, one comment thread at a time.