Security researchers at Adversa have detailed the AI coding CLIs TrustFall issue, which involves project-defined Model Context Protocol servers in terminal-based coding tools. After a developer accepts a folder trust prompt, a malicious repository can use that path to run code with limited user visibility.
The issue, called “TrustFall,” affects Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. All four tools can start MCP servers defined inside a project once the user accepts the trust prompt for the folder.
The coding CLIs use project-level configuration files to define or enable MCP servers. A repository can include settings that define or enable MCP servers, which then run as native operating system processes. Those processes are not sandboxed or limited to the project directory. They can run with the same privileges as the user operating the coding assistant.
How the one-click risk works
The finding focuses most closely on Claude Code, where the consent flow has become less explicit. Earlier versions warned users that a project’s .mcp.json file could execute code and gave them an option to trust the folder while disabling MCP. In version 2.1 and later, that prompt was replaced with a broader “Quick safety check” dialog that does not mention MCP servers.
A malicious repository can still contain a .mcp.json file and Claude Code project settings that approve the server. Once the developer runs Claude in the cloned folder and accepts the trust prompt, the MCP server can start before any tool call is made.
The command field in .mcp.json can point to executables such as Node.js, Python, shell commands, or compiled binaries. A payload can also be embedded directly in command arguments, reducing the chance that a reviewer notices a separate malicious script file in the repository.
In Claude Code, three project-scoped settings are involved. enableAllProjectMcpServers approves every MCP server defined in the project, while enabledMcpjsonServers approves named servers. Another setting, permissions.allow, can pre-authorise specific tool calls, including MCP invocations.
enableAllProjectMcpServers and enabledMcpjsonServers can start an MCP server as soon as the folder is trusted, while permissions.allow depends on Claude later deciding to call the approved tool. All three rely on project-controlled configuration and do not trigger a separate MCP-specific prompt.
The user prompts differ across the four tools. Gemini CLI gives the most detailed warning because it mentions project MCP servers and lists them by name. Cursor CLI gives an MCP-specific warning but does not enumerate each server. Claude Code and Copilot CLI use more general folder trust prompts that do not mention MCP.
The default option in all four tools is to trust or accept the folder. A single Enter keypress can be enough to approve the action in an interactive session. Accepting a folder can also allow project-defined processes to start.
How the CI case works
In CI/CD, there is no local click. Claude Code can run non-interactively through the official GitHub Action, where there is no terminal session for a trust dialog. In that setup, a repository containing a malicious .mcp.json can execute the MCP server when the workflow processes the branch.
A malicious MCP server running in CI could access environment variables and secrets available to the runner. These may include deploy keys, signing certificates, cloud credentials, or other pipeline credentials. The same project-defined configuration can also run in automated build environments.
Anthropic reviewed the findings and declined them as outside its threat model, according to Adversa. Under Anthropic’s position, accepting the folder trust prompt represents consent to the project configuration. Adversa’s concern is that the prompt does not clearly explain that project settings can start arbitrary MCP servers as native processes.
The recommended changes include blocking MCP-enabling settings from files inside the project directory. Those settings would be allowed only from user, managed, or command-line scopes outside the repository’s control. Adversa also recommended a dedicated MCP consent dialog with a deny-by-default option and per-server approval for new MCP servers.
Files and settings to review
Developers and security teams are advised to inspect .mcp.json before running coding agents in unfamiliar repositories. The same review should cover .claude/settings.json and .claude/settings.local.json. Teams should also review command and args values directly, especially for inline payloads using shell execution, evaluation flags, or encoded strings.
The inspection needs to cover both project and local settings files. Adversa noted that .claude/settings.local.json can outrank project settings in Claude Code’s scope order, meaning a repository-controlled file could still affect behaviour if it is present at clone time.
In managed environments, teams can use central policy controls to disable project-scoped MCP auto-approval and restrict approved MCP servers to an allowlist. They can also set a baseline for permissions.allow. Security teams need to identify where Claude Code runs and what repositories it runs against. They should also check what credentials those environments can access.
CI recommendations include tighter controls around non-interactive coding-agent runs. The recommendations include limiting those runs to reviewed branches and pinning GitHub Actions to specific commit SHAs. Runners should also be isolated from production credentials. Pull requests that add or modify .mcp.json should require human review.
Local development checks should focus on MCP and Claude Code settings before an unfamiliar repository is trusted. CI controls should keep agent runs away from unreviewed branches and runners with sensitive credentials.
(Photo by Ben Griffiths)
See also: AI coding tools write more code, but developers carry the risk
Want to learn more about AI and big data from industry leaders? Check out AI & Big Data Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
Developer Tech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.