Fable 5のリリースでVSCode拡張機能のセキュリティに不安が高まる

Press enter or click to view image in full size4 min read3 hours ago--Three days ago, Anthropic released Claude Fable 5 — their first publicly available Mythos-class model, sitting above the entire Opus tier. It benchmarks over 10% better than Opus 4.8 on some coding tasks, ships with a 1M context window by default, and is built specifically for multi-agent workflows. Planning, sub-agent delegation, long-running autonomous execution.It’s available in VS Code right now via Claude Code and a growing list of extensions.And that’s what’s been on my mind since Tuesday.What AI Agents Actually Mean for Your EditorFor years, AI in your editor was passive. Copilot finishes a line, you tab or you don’t. A chatbot drafts a function, you paste it in or you don’t. You were always the one making the call.That’s not what agentic AI is.Fable 5 is designed to open files, run terminal commands, make network calls, modify your workspace, and coordinate across tools — with minimal input from you. Anthropic literally describes it as built for “multi-day execution with minimal human involvement.” In VS Code, that means an AI extension can now read your entire codebase, spawn processes, hit external APIs, and talk to other extensions and MCP-connected tools.None of this is hypothetical. Amazon Q’s VS Code extension was hijacked through a malicious GitHub pull request that ordered it to wipe the local filesystem and AWS resources. Replit’s coding agent deleted a production database — over 1,200 records — during a code freeze. Not bugs in the AI itself. Compromised infrastructure around it.The MCP ProblemFable 5 arrives with deep MCP integration — the protocol that lets AI agents connect to external tools, databases, and services from inside your editor. It’s genuinely useful. It’s also an attack surface that most developers aren’t thinking about yet.The specific thing researchers are worried about is tool poisoning. A malicious MCP server hides instructions inside tool descriptions — the text that tells an agent what a tool does. The model reads those descriptions and follows them, the same way it follows your prompts. No code exploit needed. It just loads into the agent’s context and runs silently on every invocation, for every user, until someone notices something is off.The numbers aren’t great: 43% of public MCP servers have at least one vulnerability, and 5.5% already have poisoned tool descriptions in the wild. In May, OX Security disclosed a specific issue where the official MCP SDK’s local transport could be exploited through VS Code, Cursor, Claude Code, and others. Anthropic confirmed it was by design and said sanitization is on developers to handle.So the security model for AI agents in your editor is, right now, largely on you.Why This Changes the Extension Risk EquationBefore agents, a sketchy VS Code extension had to actively do something bad — phone home, harvest credentials, mine crypto. Behaviors you could look for, that static analysis could catch.Agent extensions flip that. An extension that looks completely clean can install an MCP server with poisoned tool descriptions, then sit there and wait for you to use an AI agent that has real permissions in your environment. The extension doesn’t do anything malicious itself. It just influences something that does.That’s a much harder thing to catch by looking at star counts and download numbers.What to Actually Check in 2026The basics still apply — verified publisher, active repo, recent commits. But there are a few new things worth looking at before installing any AI agent extension or MCP server.Check what MCP servers the extension installs or connects to, and whether those servers’ tool descriptions are readable and match their stated purpose. If descriptions are loaded dynamically from a remote source you can’t inspect, that’s worth knowing. Also worth checking: is the extension connecting your agent to remote servers you didn’t explicitly approve?And if you’re upgrading to Fable 5 or enabling Claude Code in a workspace where you already have a bunch of extensions installed, that’s a good moment to do a full audit. The permissions your existing extensions effectively have just increased.VSCan covers the fundamentals — dependency vulnerabilities, permissions analysis, publisher signals. As agent extensions keep multiplying, running a check before you install is going to matter more, not less.The Pattern Is FamiliarThis has happened before. npm became ubiquitous, developers installed packages without much scrutiny, supply chain attacks followed. Browser extensions got powerful, people installed them casually, malicious ones followed. AI agent extensions are the same pattern — just with higher stakes, because the tools are more capable and the access is broader.Anthropic built real safeguards into Fable 5 to block high-risk outputs in cybersecurity and other sensitive areas. Those safeguards are meaningful. They’re also not a substitute for being thoughtful about what extensions you have in your editor and what MCP infrastructure they’re connecting to.Fable 5 is a genuinely impressive model. Autonomous multi-step execution, native VS Code integration, frontier reasoning — it’s a real capability jump. It’s also a good reminder that your editor is only as trustworthy as what’s running inside it.Before installing AI agent extensions, run a quick check. VSCan scans VS Code extensions for permission risks, dependency vulnerabilities, and security flags.

※ 著作権に配慮し、引用は冒頭3段落までです。続きは元記事をご覧ください。