Devin, tasked to investigate a GitHub issue or website, unexpectedly runs shell commands (e.g., curl with env vars), browses attacker URLs with encoded secrets, renders malicious Markdown images, or executes binaries, leaking secrets/environment variables to third-party servers without explicit user instruction.

Devin processes untrusted inputs (e.g., GitHub issues, websites) without sanitization, allowing indirect prompt injection to hijack control. Powerful tools like unrestricted Shell (terminal commands with internet access) and Browser enable execution of curl/wget for exfiltration, binary downloads/RCE, or URL encoding of secrets. No structural safeguards beyond model refusal, which fails reliably.