AI agent時代、`.claude/` と `.vscode/` はCIと同じくらいレビュー対象になる Configuration directories like `.claude/` and `.vscode/` that AI coding agents read are em…

As AI coding agents become a standard part of the development workflow, a subtle but significant security blind spot is emerging: the configuration directories these agents silently read and act upon. A post on Qiita uses the so-called "Mini Shai-Hulud" incident as a springboard to argue that directories like `.claude/` and `.vscode/` deserve the same rigorous review discipline as CI configuration files.

The conventional image of a supply chain attack involves malicious code smuggled into npm or PyPI packages. But AI coding agents introduce a new layer of trust that attackers could exploit. When Claude Code runs in a project, it reads instructions from `.claude/` — markdown files, custom system prompts, and behavioral guidelines. VS Code-based agents similarly consume `.vscode/settings.json` and related workspace configs. A malicious package installed as a dependency could, in principle, write crafted instruction files into these directories during installation, poisoning the agent's behavior without ever touching the application source code itself.

What makes this threat pattern particularly insidious is its indirection. Rather than injecting malicious code that a linter or SAST tool might catch, an attacker would be manipulating the agent's "rules of engagement" — how it interprets requests, which actions it considers safe, and what it's willing to do autonomously. Developers reviewing a pull request are far less likely to scrutinize a markdown file in `.claude/` than a change to a CI workflow.

The author's core argument is that this asymmetry needs to end. Just as `.github/workflows/` files can trigger arbitrary code execution in CI and therefore demand careful review, configuration files read by AI agents can influence the entire development process and should be treated with equivalent seriousness. The practical recommendation is straightforward: stop gitignoring these directories, commit them to the repository, and require pull request review for any changes.

This conversation sits within a broader industry debate about trust boundaries in agentic systems. Anthropic has published details on Claude Code's permission model, which explicitly limits what actions the agent can take and prompts users before crossing certain boundaries. Other environments — GitHub Copilot Workspace, Cursor, Windsurf — each handle workspace-level configuration differently, and there is no cross-industry standard yet for how agent configuration should be audited or secured.

The deeper issue is governance. As AI agents become more autonomous — capable of writing code, running tests, opening pull requests, and interacting with external APIs — the gap between "configure" and "deploy" narrows. A misconfigured or compromised agent configuration file is increasingly close in impact to a compromised CI pipeline. Teams that treat these files as informal scratch space may find themselves exposed in ways that are difficult to detect after the fact.

The takeaway is less about a specific CVE and more about a mental model shift: in an AI-augmented development environment, the surface area that requires security review has expanded beyond source code and infrastructure-as-code to include the instructions that shape agent behavior. Treating `.claude/` as seriously as `.github/workflows/` is a reasonable and low-cost starting point.