Devin runs shell commands, browses the web, installs packages, and pushes commits to your GitHub repository, all autonomously. Cognition AI launched it in 2024 as the first fully autonomous AI software engineer, and it scored 13.86% on SWE-bench Verified, a standard benchmark for resolving real GitHub issues. That score sounds modest, but no AI tool had previously done it autonomously without human help on each step.
The security question isn't whether Devin writes good code (it does, roughly). The question is what access you're handing over and what happens when an autonomous agent with shell + browser + GitHub write access goes off-script.
TL;DR
Devin is safe to run on isolated branches with scoped credentials, but unsafe to connect to your main branch with broad GitHub permissions. The biggest risks: autonomous package installation (slopsquatting attack vector), shell access that can exfiltrate secrets if your environment is misconfigured, and code quality issues that require review before merging. Cognition holds SOC 2 Type II certification. Treat Devin like a contractor: give it a separate machine account, limit repo access to the work at hand, and review every PR it opens.
What Devin Actually Does
Devin is not an IDE plugin or a chat interface. When you assign it a task, it:
- Reads your codebase and plans an approach
- Opens a shell and executes commands (npm install, pip install, git commands)
- Browses documentation and Stack Overflow in a sandboxed browser
- Makes file changes across your project
- Opens a pull request with its changes
This is categorically different from Cursor or GitHub Copilot, which suggest code but require you to press a key to accept each suggestion. Devin acts. That means the security model is closer to "contractor with laptop access" than "autocomplete with an AI engine."
The Attack Surface
Shell Access
Devin's sandbox includes a real shell. If you pass environment variables with secrets into the session (database URLs, API keys, tokens), those are accessible within the session. Cognition runs sessions in isolated containers, but your secrets still flow through their infrastructure.
The safe pattern: create throwaway credentials for each Devin session. If Devin needs Stripe access to fix a billing bug, create a restricted Stripe test-mode key just for that session. Revoke it after.
GitHub Permissions
Devin needs write access to commit and open PRs. Where teams go wrong: they connect Devin using a personal GitHub account with org-wide access, or they grant admin permissions "to keep things simple."
Create a dedicated machine account (like devin-bot) with write access only to the specific repositories you're assigning tasks on. If you have 20 repos and you're using Devin on one feature, it should not have access to the other 19.
Autonomous Package Installation
When Devin decides your code needs a new dependency, it runs npm install some-package or pip install some-package without asking. This creates two risks:
- Slopsquatting: AI models occasionally hallucinate package names. A hallucinated package name that happens to be registered by a malicious actor gets installed. Devin's autonomous operation means this can happen without you being in the loop.
- Outdated or vulnerable packages: Devin's training data has a cutoff. It may reach for a package version that was current during training but has since had a CVE filed against it.
Review every package in Devin's PR diff. A quick npm audit or pip-audit run in CI catches most issues automatically.
Add a branch protection rule requiring your CI pipeline (including dependency audit) to pass before any PR can merge. Devin's PRs go through the same gate as any other contributor.
Code Quality and Security Patterns
Like any AI coding tool, Devin occasionally generates code with security issues. Common patterns CheckYourVibe flags in AI-generated code:
- Missing authentication on API routes (new endpoints added without auth middleware)
- SQL built with string concatenation instead of parameterized queries
- Secrets hardcoded in utility scripts when Devin doesn't have access to your secrets manager and improvises
- Over-permissive CORS when Devin needs to unblock a frontend integration quickly
These aren't Devin-specific failures. They appear in code from every AI coding tool. The difference with Devin is volume: a single session can touch dozens of files and add multiple new endpoints, so the review surface is larger than a typical Copilot suggestion.
Cognition's Security Posture
Cognition AI holds SOC 2 Type II certification, which covers their infrastructure, access controls, and data handling. Their enterprise tier includes:
- Dedicated infrastructure (sessions don't share compute with other customers)
- Custom data retention policies
- SSO via SAML
- Audit logs of all Devin actions
The free and standard tiers run on shared infrastructure with standard data retention. If you're working with code that has compliance requirements (HIPAA, PCI), use the enterprise tier or get a DPA signed.
Permissions Checklist Before Running Devin
Is Devin Worth the Risk?
For the right tasks, yes. Devin handles well-scoped, standalone work: writing tests, migrating from one library to another, adding a new endpoint that follows an existing pattern. These are tasks where the blast radius of a mistake is limited and the PR diff is reviewable.
Where it creates unnecessary risk: working directly on main (don't), having access to production credentials during development (don't), or being assigned open-ended architectural tasks where the scope of changes is hard to audit.
The security tradeoff is deliberate. Devin is more autonomous than other tools, which is exactly what makes it useful. Your job is to channel that autonomy with proper access controls rather than eliminate it.
Is Devin AI safe to use?
Devin is safe to use if you treat it like a junior contractor with keys to the office. It needs scoped GitHub access (not org-wide admin), isolated credentials, and code review before merging. Skipping those steps is where teams get burned.
Does Devin store my code?
Cognition stores session data to improve Devin. Enterprise customers can negotiate data retention policies. The SOC 2 Type II certification covers their infrastructure, but your code travels through Cognition's servers during each session.
What GitHub permissions does Devin need?
Devin requests write access to repositories. The minimum viable scope is read/write on the specific repos you're working with, not org-level admin. Create a dedicated machine account with exactly those permissions rather than using your personal GitHub account.
Can Devin install malicious packages?
Devin installs packages autonomously during coding sessions. It can hallucinate package names, which is the slopsquatting attack vector. Packages installed by Devin should be reviewed in your pull request just like any other dependency change.
How does Devin compare to Cursor for security?
Cursor is an IDE assistant: it suggests code but you execute everything. Devin actually runs shell commands, installs packages, and commits code on your behalf. The attack surface is much larger. Use Devin for isolated tasks on feature branches; use Cursor for everyday development.
Run a security scan on the code Devin writes before you merge. CheckYourVibe checks for exposed secrets, missing auth, and vulnerable dependencies in 60 seconds.