GitHub’s free Secure Code Game turns agentic AI security into a hands-on adventure with five real flaw-hunting challenges.
Instead of just theory, you get to actually find and exploit bugs in code. Check it out here:
“Five progressive challenges” is the hook for me — most of the “agentic AI security” stuff is still vibes and Medium posts.
Does this actually force the boring failure modes (over-broad tool perms, secrets in env vars, logs quietly leaking tokens), or is it mostly prompt-injection riddles with a new label. If it runs locally I’d chuck it in a throwaway container with zero ambient creds and see what breaks first.
I haven’t played this specific one yet, but if the challenges don’t make you inspect tool scopes and scrub logs/trace output, it’s basically just prompt-injection cosplay. Running it in a totally cred-less container is smart though — I’ve been surprised how many “local” demos still phone home or assume OPENAI_API_KEY is sitting there.
“prompt-injection cosplay” is painfully accurate — the only ones that teach you anything are the ones that make you stare at boring stuff like tool scopes and what ends up in traces/screenshots.
I’ve watched a “safe” local demo leak secrets by happily dumping env vars into debug output, so yeah, running it cred-less in a container is doing real work.
