[{"data":1,"prerenderedAt":354},["ShallowReactive",2],{"blog-is-safe/devin":3},{"id":4,"title":5,"body":6,"category":327,"date":328,"dateModified":328,"description":329,"draft":330,"extension":331,"faq":332,"featured":330,"headerVariant":338,"image":339,"keywords":340,"meta":341,"navigation":342,"ogDescription":343,"ogTitle":339,"path":344,"readTime":345,"schemaOrg":346,"schemaType":347,"seo":348,"sitemap":349,"stem":350,"tags":351,"twitterCard":352,"__hash__":353},"blog/blog/is-safe/devin.md","Is Devin AI Safe? Security Review of the Autonomous AI Engineer (2026)",{"type":7,"value":8,"toc":312},"minimark",[9,13,16,22,29,34,37,56,59,63,68,71,78,82,85,96,100,111,126,136,142,146,149,175,178,182,189,203,206,210,238,242,245,248,251,285,304],[10,11,12],"p",{},"Devin runs shell commands, browses the web, installs packages, and pushes commits to your GitHub repository, all autonomously. Cognition AI launched it in 2024 as the first fully autonomous AI software engineer, and it scored 13.86% on SWE-bench Verified, a standard benchmark for resolving real GitHub issues. That score sounds modest, but no AI tool had previously done it autonomously without human help on each step.",[10,14,15],{},"The security question isn't whether Devin writes good code (it does, roughly). The question is what access you're handing over and what happens when an autonomous agent with shell + browser + GitHub write access goes off-script.",[17,18,19],"tldr",{},[10,20,21],{},"Devin is safe to run on isolated branches with scoped credentials, but unsafe to connect to your main branch with broad GitHub permissions. The biggest risks: autonomous package installation (slopsquatting attack vector), shell access that can exfiltrate secrets if your environment is misconfigured, and code quality issues that require review before merging. Cognition holds SOC 2 Type II certification. Treat Devin like a contractor: give it a separate machine account, limit repo access to the work at hand, and review every PR it opens.",[23,24,26],"verdict-badge",{"verdict":25},"caution",[10,27,28],{},"Devin AI is safe with proper access controls, but riskier than other AI coding tools by default due to its autonomous shell and GitHub access.",[30,31,33],"h2",{"id":32},"what-devin-actually-does","What Devin Actually Does",[10,35,36],{},"Devin is not an IDE plugin or a chat interface. When you assign it a task, it:",[38,39,40,44,47,50,53],"ol",{},[41,42,43],"li",{},"Reads your codebase and plans an approach",[41,45,46],{},"Opens a shell and executes commands (npm install, pip install, git commands)",[41,48,49],{},"Browses documentation and Stack Overflow in a sandboxed browser",[41,51,52],{},"Makes file changes across your project",[41,54,55],{},"Opens a pull request with its changes",[10,57,58],{},"This is categorically different from Cursor or GitHub Copilot, which suggest code but require you to press a key to accept each suggestion. Devin acts. That means the security model is closer to \"contractor with laptop access\" than \"autocomplete with an AI engine.\"",[30,60,62],{"id":61},"the-attack-surface","The Attack Surface",[64,65,67],"h3",{"id":66},"shell-access","Shell Access",[10,69,70],{},"Devin's sandbox includes a real shell. If you pass environment variables with secrets into the session (database URLs, API keys, tokens), those are accessible within the session. Cognition runs sessions in isolated containers, but your secrets still flow through their infrastructure.",[10,72,73,77],{},[74,75,76],"strong",{},"The safe pattern:"," create throwaway credentials for each Devin session. If Devin needs Stripe access to fix a billing bug, create a restricted Stripe test-mode key just for that session. Revoke it after.",[64,79,81],{"id":80},"github-permissions","GitHub Permissions",[10,83,84],{},"Devin needs write access to commit and open PRs. Where teams go wrong: they connect Devin using a personal GitHub account with org-wide access, or they grant admin permissions \"to keep things simple.\"",[86,87,88],"warning-box",{},[10,89,90,91,95],{},"Create a dedicated machine account (like ",[92,93,94],"code",{},"devin-bot",") with write access only to the specific repositories you're assigning tasks on. If you have 20 repos and you're using Devin on one feature, it should not have access to the other 19.",[64,97,99],{"id":98},"autonomous-package-installation","Autonomous Package Installation",[10,101,102,103,106,107,110],{},"When Devin decides your code needs a new dependency, it runs ",[92,104,105],{},"npm install some-package"," or ",[92,108,109],{},"pip install some-package"," without asking. This creates two risks:",[112,113,114,120],"ul",{},[41,115,116,119],{},[74,117,118],{},"Slopsquatting:"," AI models occasionally hallucinate package names. A hallucinated package name that happens to be registered by a malicious actor gets installed. Devin's autonomous operation means this can happen without you being in the loop.",[41,121,122,125],{},[74,123,124],{},"Outdated or vulnerable packages:"," Devin's training data has a cutoff. It may reach for a package version that was current during training but has since had a CVE filed against it.",[10,127,128,129,106,132,135],{},"Review every package in Devin's PR diff. A quick ",[92,130,131],{},"npm audit",[92,133,134],{},"pip-audit"," run in CI catches most issues automatically.",[137,138,139],"tip-box",{},[10,140,141],{},"Add a branch protection rule requiring your CI pipeline (including dependency audit) to pass before any PR can merge. Devin's PRs go through the same gate as any other contributor.",[64,143,145],{"id":144},"code-quality-and-security-patterns","Code Quality and Security Patterns",[10,147,148],{},"Like any AI coding tool, Devin occasionally generates code with security issues. Common patterns CheckYourVibe flags in AI-generated code:",[112,150,151,157,163,169],{},[41,152,153,156],{},[74,154,155],{},"Missing authentication on API routes"," (new endpoints added without auth middleware)",[41,158,159,162],{},[74,160,161],{},"SQL built with string concatenation"," instead of parameterized queries",[41,164,165,168],{},[74,166,167],{},"Secrets hardcoded in utility scripts"," when Devin doesn't have access to your secrets manager and improvises",[41,170,171,174],{},[74,172,173],{},"Over-permissive CORS"," when Devin needs to unblock a frontend integration quickly",[10,176,177],{},"These aren't Devin-specific failures. They appear in code from every AI coding tool. The difference with Devin is volume: a single session can touch dozens of files and add multiple new endpoints, so the review surface is larger than a typical Copilot suggestion.",[30,179,181],{"id":180},"cognitions-security-posture","Cognition's Security Posture",[10,183,184,185,188],{},"Cognition AI holds ",[74,186,187],{},"SOC 2 Type II"," certification, which covers their infrastructure, access controls, and data handling. Their enterprise tier includes:",[112,190,191,194,197,200],{},[41,192,193],{},"Dedicated infrastructure (sessions don't share compute with other customers)",[41,195,196],{},"Custom data retention policies",[41,198,199],{},"SSO via SAML",[41,201,202],{},"Audit logs of all Devin actions",[10,204,205],{},"The free and standard tiers run on shared infrastructure with standard data retention. If you're working with code that has compliance requirements (HIPAA, PCI), use the enterprise tier or get a DPA signed.",[30,207,209],{"id":208},"permissions-checklist-before-running-devin","Permissions Checklist Before Running Devin",[211,212,213,218,222,226,230,234],"checklist-section",{},[214,215],"checklist-item",{"description":216,"label":217},"Use devin-bot or similar with minimum required GitHub permissions","Create a dedicated machine account",[214,219],{"description":220,"label":221},"Grant write access only to repos involved in the current task","Scope repo access",[214,223],{"description":224,"label":225},"Create session-specific API keys that expire or can be revoked","Use throwaway credentials",[214,227],{"description":228,"label":229},"Require CI (including security scans) to pass before merge","Enable branch protection",[214,231],{"description":232,"label":233},"Run npm audit or pip-audit on every Devin PR","Review all dependency changes",[214,235],{"description":236,"label":237},"Use CheckYourVibe or your security scanner on the PR diff, not just the file list","Scan the diff before merging",[30,239,241],{"id":240},"is-devin-worth-the-risk","Is Devin Worth the Risk?",[10,243,244],{},"For the right tasks, yes. Devin handles well-scoped, standalone work: writing tests, migrating from one library to another, adding a new endpoint that follows an existing pattern. These are tasks where the blast radius of a mistake is limited and the PR diff is reviewable.",[10,246,247],{},"Where it creates unnecessary risk: working directly on main (don't), having access to production credentials during development (don't), or being assigned open-ended architectural tasks where the scope of changes is hard to audit.",[10,249,250],{},"The security tradeoff is deliberate. Devin is more autonomous than other tools, which is exactly what makes it useful. Your job is to channel that autonomy with proper access controls rather than eliminate it.",[252,253,254,261,267,273,279],"faq-section",{},[255,256,258],"faq-item",{"question":257},"Is Devin AI safe to use?",[10,259,260],{},"Devin is safe to use if you treat it like a junior contractor with keys to the office. It needs scoped GitHub access (not org-wide admin), isolated credentials, and code review before merging. Skipping those steps is where teams get burned.",[255,262,264],{"question":263},"Does Devin store my code?",[10,265,266],{},"Cognition stores session data to improve Devin. Enterprise customers can negotiate data retention policies. The SOC 2 Type II certification covers their infrastructure, but your code travels through Cognition's servers during each session.",[255,268,270],{"question":269},"What GitHub permissions does Devin need?",[10,271,272],{},"Devin requests write access to repositories. The minimum viable scope is read/write on the specific repos you're working with, not org-level admin. Create a dedicated machine account with exactly those permissions rather than using your personal GitHub account.",[255,274,276],{"question":275},"Can Devin install malicious packages?",[10,277,278],{},"Devin installs packages autonomously during coding sessions. It can hallucinate package names, which is the slopsquatting attack vector. Packages installed by Devin should be reviewed in your pull request just like any other dependency change.",[255,280,282],{"question":281},"How does Devin compare to Cursor for security?",[10,283,284],{},"Cursor is an IDE assistant: it suggests code but you execute everything. Devin actually runs shell commands, installs packages, and commits code on your behalf. The attack surface is much larger. Use Devin for isolated tasks on feature branches; use Cursor for everyday development.",[286,287,288,294,299],"related-articles",{},[289,290],"related-card",{"description":291,"href":292,"title":293},"Security analysis of the most popular AI code editor, including data privacy and code quality risks","/blog/is-safe/cursor","Is Cursor Safe?",[289,295],{"description":296,"href":297,"title":298},"How autonomous coding agents expand the attack surface compared to traditional AI assistants","/blog/vulnerabilities/agentic-ai-security-risks","Agentic AI Security Risks",[289,300],{"description":301,"href":302,"title":303},"Security review of Anthropic's terminal-based AI coding assistant","/blog/is-safe/claude-code","Is Claude Code Safe?",[305,306,309],"cta-box",{"href":307,"label":308},"/","Scan Your Devin PR",[10,310,311],{},"Run a security scan on the code Devin writes before you merge. CheckYourVibe checks for exposed secrets, missing auth, and vulnerable dependencies in 60 seconds.",{"title":313,"searchDepth":314,"depth":314,"links":315},"",2,[316,317,324,325,326],{"id":32,"depth":314,"text":33},{"id":61,"depth":314,"text":62,"children":318},[319,321,322,323],{"id":66,"depth":320,"text":67},3,{"id":80,"depth":320,"text":81},{"id":98,"depth":320,"text":99},{"id":144,"depth":320,"text":145},{"id":180,"depth":314,"text":181},{"id":208,"depth":314,"text":209},{"id":240,"depth":314,"text":241},"is-safe","2026-05-14","Is Devin AI safe to use on your codebase? Honest review of Cognition's autonomous engineer covering shell access, GitHub permissions, code quality risks, and what to lock down before you run it.",false,"md",[333,334,335,336,337],{"question":257,"answer":260},{"question":263,"answer":266},{"question":269,"answer":272},{"question":275,"answer":278},{"question":281,"answer":284},"amber",null,"is devin safe, devin ai security, cognition ai devin, devin security risks, autonomous ai engineer, devin github access",{},true,"Devin AI has full shell, browser, and GitHub write access to your repo. Here's what that means for security.","/blog/is-safe/devin","9 min read","[object Object]","Article",{"title":5,"description":329},{"loc":344},"blog/is-safe/devin",[],"summary_large_image","_kH_8Zs2Z_y5L9FPtgmmKtcGRmQBG4GKywT-Gq6Miw4",1778818942539]