Signals CapitalGuard looks for
Markdown files with imperative agent instructions
Prompt folders inside the default workspace
Issue templates or runbooks that include tool-use instructions
Why it matters
Agents can treat repository text as task context, not just documentation.
A hidden instruction can change what an agent edits, runs, summarizes, or uploads.
The business risk grows when the agent also has terminal, Git, or deployment access.
Precautions to take
Mark docs, tickets, prompts, and logs as untrusted by default.
Move approved operational guidance into reviewed policy files.
Require human approval before agent actions that affect release, billing, or customer data.