コード経験ほぼゼロのPMOが、AI駆動開発で「AIに任せる前の安全チェックCLI」を作った話 コード経験ほぼゼロのPMOが、AI駆動開発で「AIに任せる前の安全チェックCLI」を作った話

AI coding agents are now a familiar part of many development workflows, able to read an entire repository, launch external tools, and follow instructions stored in configuration files. That same flexibility introduces a security question that is easy to overlook: when an agent is aimed at an unfamiliar codebase, it can also act on whatever scripts, hooks, and hidden directives that codebase happens to contain. A recent post on Zenn recounts how a project management office (PMO) professional with almost no coding experience used AI-driven development to build a command-line tool that performs a safety check on a repository before any work is handed over to an AI.

The motivation described is practical rather than theoretical. Agents such as Claude Code, Cursor, and Cline are designed to be helpful by default, which means they will read project files, respect repository-level settings, and invoke whatever tooling a project defines. If the repository originates from an unknown source, those conveniences can become liabilities. An external script triggered by a setup step, an automated hook, or an instruction embedded in a configuration or documentation file could prompt an agent to execute commands the user never intended to run. This class of problem is closely related to prompt injection, where text that the model reads is crafted to alter its behavior.

The tool described is positioned as a lightweight gate that runs before the agent does. Rather than trusting a freshly cloned repository outright, the CLI appears to scan it for the kinds of artifacts that warrant a closer look, such as setup scripts, configuration files that direct agent behavior, and references to external resources, so that a human can review them first. The emphasis is on giving the user a moment to inspect what an agent would otherwise consume silently. It is a screening step, not a guarantee, and the author frames it as a way to reduce risk rather than eliminate it.

Part of what makes the story notable is the category it sits in. The post is filed under MCP, a reference to the Model Context Protocol, the open standard introduced by Anthropic in late 2024 that gives AI assistants a common way to connect to external tools and data sources. MCP has been widely adopted because it makes agents more capable, but expanding the number of tools and data connections an agent can reach also expands the surface that needs to be trusted. A pre-flight check that surfaces what a repository or its associated configuration would expose fits naturally into this broader conversation about agent safety.

The development method is itself part of the point. The author identifies as a PMO with effectively no programming background and built the tool through AI-driven development, directing an AI to generate and refine the code rather than writing it by hand. This approach, sometimes informally called vibe coding, has lowered the barrier for non-engineers to produce working utilities. It also illustrates a feedback loop worth noting: the same agents that create new security considerations are now being used to build the tooling meant to manage them.

The idea connects to established practices in software supply chain security. Engineers have long used dependency scanners such as Dependabot and Snyk, secret-detection tools, and sandboxed environments like development containers to limit what untrusted code can do. A safety-check CLI for AI agents extends that mindset to a newer scenario, where the entity reading the code is an autonomous assistant rather than a build server. Running agents inside containers, restricting file-system and network access, and reviewing agent-specific files such as CLAUDE.md or .cursorrules before use are complementary measures that address the same underlying concern.

For readers, the broader takeaway is less about one particular utility