Securing Agentic Coding Workflows In Open Source Repos

TL;DR

Open-source repos need explicit guardrails when contributors use agentic coding tools. Commit MCP structure without secrets, document permission expectations, require human review for AI-assisted diffs, enable sandboxing for risky commands, and keep vulnerability reports on private disclosure paths.

Prerequisites & Requirements

• {"task": "SECURITY.md exists", "description": "Private reporting path and response expectations are documented"}
• {"task": "Branch protection", "description": "Required reviews and CI gates apply to main"}
• {"task": "MCP template reviewed", "description": "Project .mcp.json uses env expansion, not committed secrets"}
• {"task": "Contributor guide updated", "description": "CONTRIBUTING explains approved Claude Code workflows"}
• {"task": "Scanning enabled", "description": "Secret scanning or equivalent checks run on PRs"}

Core Concepts Explained

Public repos amplify agent blast radius

Claude Code security documentation states that MCP server lists live in checked-in settings and that users configure permissions for MCP servers they trust. In open source, those configs and plugin hints are visible to every fork—design them assuming attackers read the file.

MCP in git is structure, not credentials

Official MCP docs support ${VAR} expansion in .mcp.json so teams share server definitions while contributors export secrets locally. Pair templates with README or CONTRIBUTING instructions naming required variables.

AI-assisted PRs need maintainer review discipline

Claude Code best practices emphasize verifying proposed commands and changes before approval. For OSS, extend that to dependency changes, new install scripts, and auth paths—even when CI passes.

Sandboxing and permissions are team policy levers

Security docs describe sandboxed bash, write-scope limits to the working directory, and permission modes. Maintainers can document recommended defaults for contributors without forcing a single global mode.

Step-by-Step Implementation Guide

1. Audit checked-in agent config. Review .mcp.json, plugin manifests, .claude/settings.json examples, and hook samples for secrets or overly broad tool allowlists.

2. Replace secrets with env contracts. Use ${API_KEY} placeholders; document export steps in CONTRIBUTING, not in committed values.

3. Publish workflow expectations. State which MCP servers are optional vs required, and that contributors must run untrusted install scripts only in disposable environments.

4. Harden PR review for AI changes. Require human reviewers for auth, network, dependency, and release automation diffs; link to a checklist in the PR template.

5. Enable sandbox guidance. Recommend /sandbox or dev containers for contributors running Claude Code against unfamiliar forks.

6. Add narrow hooks if needed. Use reviewed hooks for notifications or config-change auditing—not hidden network exfiltration.

7. Train on disclosure. Route suspected vulnerabilities through SECURITY.md; never debate exploit details in public issues.

8. Review quarterly. Re-read MCP additions, plugin updates, and permission drift as Claude Code releases change defaults.

Maintainer Checklist for AI Contributor PRs

Example CONTRIBUTING Snippet

## Agentic coding tools

- Use project `.mcp.json` templates with local env vars only; never commit secrets.
- Run Claude Code install/build steps from this PR in a disposable environment first.
- Mark AI-assisted PRs in the description and complete the security checklist.
- Report vulnerabilities privately per SECURITY.md—not in public issues.

Troubleshooting

Contributor committed an API key

Rotate the credential, purge history per your policy, and switch the config to ${VAR} expansion with scanner follow-up.

Recommended MCP server is too powerful

Remove it from the default template; document it as opt-in with oauth.scopes pins and maintainer approval.

CI green but behavior looks wrong

Require reviewer-owned evidence per best practices—generated explanations are not proof in public repos.

Fork maintainer enabled bypassPermissions

Document that bypass modes are maintainer-local only; do not check bypass settings into shared project files.

Source Verification Notes

Verified against Claude Code security, best practices, MCP, and sandboxing documentation on 2026-06-16:

• Security docs describe permission-based architecture, MCP user configuration responsibility, prompt injection mitigations, and secure credential storage.
• MCP docs describe project-scoped .mcp.json for teams, env expansion, OAuth scope pinning, and trust verification for new servers.
• Best practices docs emphasize reviewing commands and changes before approval.
• Open Source Guides best practices reinforce clear contribution and security expectations for public communities.

Duplicate Check

This guide complements review-ai-generated-code-before-merge (PR reviewer checklist), safe-claude-code-hooks (hook-specific safety), and secret-handling-for-mcp-servers-and-agent-tools (credential handling mechanics). None combine maintainer-oriented open-source policy for MCP templates, contributor AI PR review, sandbox guidance, and SECURITY.md disclosure in one workflow.

References

• Claude Code security - https://code.claude.com/docs/en/security
• Claude Code best practices - https://code.claude.com/docs/en/best-practices
• Claude Code MCP - https://code.claude.com/docs/en/mcp