Skip to content

Lovely UX, but the security implications... #80

New issue
New issue
Open
Open
Lovely UX, but the security implications...#80
@kennethlynne

Description

@kennethlynne
kennethlynne
opened on Dec 16, 2025

At least require a secret/nonce in the url or similar?

Any page can fetch('http://localhost:4567/health').then(async(r)=>{console.log(await r.json())}), so any page can prompt inject my machine running with the coding agents permissions.

Especially sketchy with bypass permissions https://github.com/aidenybai/react-grab/blob/main/packages/provider-claude-code/src/client.ts#L30

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions