A familiar command, a new threat model
For decades, cat readme.txt has belonged to the category of obviously safe commands. It prints text. It does not execute binaries, mutate state, or open privileged channels. In classical security thinking, the risk is negligible.
That assumption is starting to break.
In environments shaped by AI coding agents, a README is no longer just passive documentation. It can become a control surface: a piece of text that an agent ingests, interprets, and potentially acts upon. Once that happens, the attack model shifts from code execution to instruction injection.
Why plain text is no longer plain
The core issue is not the shell command itself. The issue is what sits downstream of it.
A human reading a README can usually separate documentation from intent. An AI agent, however, may treat the same content as part of its working context. If the file includes malicious or adversarial instructions—explicitly or indirectly—the model may absorb them into its planning loop.
In other words, the danger is not that cat executes the file. The danger is that an agent reads the output and mistakes hostile text for relevant operating guidance.
The rise of prompt injection through local files
This is best understood as a local variant of prompt injection.
The security community has spent the past year focusing on prompt injection through websites, browser sessions, email threads, and retrieved documents. But the same principle applies to local development flows. A repository can contain text designed not for a human maintainer, but for the model helping that maintainer.
That text may attempt to:
- redirect the model away from the user’s original goal,
- persuade it to reveal secrets,
- convince it to modify files it should not touch,
- or trigger tool use in ways the user did not explicitly authorize.
When agents are granted terminal access, filesystem visibility, or tool-calling privileges, the consequences are no longer theoretical.
Why coding agents make this worse
Traditional copilots mainly suggested code. Modern agents do much more:
- they inspect repositories,
- summarize documentation,
- propose edits,
- run commands,
- validate outputs,
- and sometimes continue tasks autonomously.
That additional autonomy expands the attack surface.
A hostile README in a normal editor session is mostly annoying. A hostile README inside an agent workflow can become operational. The model may chain the malicious suggestion into subsequent reasoning, which then affects tool use, file changes, or system prompts further downstream.
This is exactly why seemingly harmless inputs are now being reclassified as security-relevant inputs.
The deeper lesson: context is executable in practice
Security engineers are used to asking whether a file is executable. In agent systems, that question is no longer sufficient.
A better question is: can this content influence the model’s behavior in a way that changes what the system does next?
If the answer is yes, then the file is functionally active—even if it is technically “just text.” That is the conceptual shift many teams are still catching up to.
This does not mean every README is dangerous. It means the line between data and instructions has become materially weaker in LLM-driven systems.
What development teams should do now
The practical response is not panic; it is discipline.
Teams using coding agents should begin treating local documentation, issue threads, generated artifacts, and retrieved notes as untrusted context unless proven otherwise. At minimum, that means:
- isolating high-trust instructions from low-trust repository content,
- reducing automatic tool execution,
- requiring explicit confirmation for sensitive actions,
- and designing agent workflows that assume context poisoning is possible.
The strongest agent systems of the next year will likely not be those that act most aggressively, but those that preserve clear boundaries between user intent, model interpretation, and external inputs.
Bottom line
“Even cat readme.txt is not safe” sounds like a dramatic slogan. But the underlying point is sober and important: once AI agents begin reading, planning, and acting on text, any text can become part of the control plane.
That does not make plain files dangerous by default. It does mean the old security intuition—reading is passive, execution is active—no longer maps cleanly onto agentic systems.
In the age of coding agents, context itself is a form of power.