Open-Source Repo Plants Auth Bugs to Test Whether AI Coding Agents Can Catch Them
A developer tool called FetchSandbox has published an open-source GitHub repository containing intentionally planted security vulnerabilities to benchmark AI coding agents. The most prominent bug is a privilege-escalation flaw in a FastAPI 'Agent Gateway' using Descope, where a read-only agent key can request and receive elevated write-level permissions without any scope validation. Developers can run two structured tasks directly from their IDE — one greenfield and one brownfield audit — against a hosted sandbox, requiring no personal API credentials. The bar for success is not static code review but actual reproduction of the exploit against live Descope API routes, complete with a verifiable run-trace receipt URL. The repo also includes additional broken integrations involving Stripe, Resend, and Clerk, and contributors are encouraged to submit findings — including failure reports — via pull request.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in