GitHub's Secure Code Game Season 4: Hack AI Agents to Learn Security

TL;DR

• GitHub's Secure Code Game Season 4 teaches you to exploit and fix vulnerabilities in AI agents through hands-on challenges
• You'll hack ProdBot, a deliberately vulnerable AI assistant that executes commands, browses the web, and orchestrates multi-agent workflows
• Five progressive levels mirror real-world AI agent evolution, from basic command execution to complex multi-agent systems
• Runs free in GitHub Codespaces, takes about 2 hours, requires zero coding experience — just natural language prompts

The Big Picture

AI agents are shipping to production faster than security teams can audit them. Tools like OpenClaw and GitHub Copilot CLI turn natural language into shell commands, manage your calendar, browse the web, and automate workflows you never thought possible. The power is real. So are the risks.

When an AI agent can read your files, call APIs, and act autonomously on your behalf, what happens when someone tricks it with a malicious prompt? What if a poisoned web page rewrites the agent's instructions mid-session? What if one agent in a multi-agent chain passes bad data to another that blindly trusts it?

These aren't hypothetical scenarios. The OWASP Top 10 for Agentic Applications 2026, developed with input from over 100 security researchers, now lists agent goal hijacking, tool misuse, identity abuse, and memory poisoning as critical threats. A Dark Reading poll found that 48% of cybersecurity professionals believe agentic AI will be the top attack vector by the end of 2026. Cisco's State of AI Security 2026 report revealed that while 83% of organizations plan to deploy agentic AI capabilities, only 29% feel ready to do so securely.

That gap between adoption and readiness is where vulnerabilities thrive. GitHub's Secure Code Game Season 4 puts you on the attack side to close it.

How It Works

Season 4 drops you into ProdBot, a deliberately vulnerable AI productivity assistant that lives in your terminal. Your mission across five levels: use natural language to trick ProdBot into revealing a secret file called password.txt. If you can read it, you've found a vulnerability.

No coding required. No AI expertise needed. You type plain English prompts. ProdBot responds. You experiment until you break through.

Each level adds a new capability to ProdBot, mirroring how real AI tools evolve in production. Level 1 starts simple: ProdBot generates and executes bash commands inside a sandboxed workspace. Your job is to break out of that sandbox. Level 2 gives ProdBot web access to a simulated internet with news sites, finance pages, and shopping platforms. Now the agent reads untrusted content. What could go wrong?

Level 3 connects ProdBot to Model Context Protocol (MCP) servers — external tool providers for stock quotes, web browsing, and cloud backup. More tools mean more power, but also more attack surface. Level 4 introduces org-approved skills and persistent memory. ProdBot can now run pre-built automation plugins and remember your preferences across sessions. Trust is layered, but is it earned?

Level 5 brings everything together: six specialized agents, three MCP servers, three skills, and a simulated open-source project web. The platform claims all agents are sandboxed and all data is pre-verified. Time to put that to the test.

The progression is intentional. Each new capability opens a new attack vector. The vulnerabilities you'll discover aren't academic exercises — they reflect real-world risks that security teams are grappling with right now. Consider CVE-2026-25253, known as "ClawBleed," a one-click remote code execution vulnerability in OpenClaw with a CVSS score of 8.8. Attackers could steal authentication tokens via a malicious link and gain full control of the AI instance. That's the kind of pattern you'll learn to spot.

The Secure Code Game has been running since March 2023, when Season 1 launched with a simple goal: make security training that developers would actually enjoy. Season 2 expanded into multi-stack challenges across JavaScript, Python, Go, and GitHub Actions. Season 3 focused on LLM security, teaching players to craft malicious prompts and then defend against them. Over 10,000 developers across industry, open source, and academia have played through the seasons to sharpen their skills.

Season 4 runs entirely in GitHub Codespaces, so there's nothing to install and nothing to configure. Codespaces offers up to 60 hours of free usage per month. You can be inside ProdBot's terminal in under two minutes. Each season is self-contained, so you can jump straight into Season 4 without touching the earlier ones, though Season 3 provides a helpful foundation in AI security basics.

What This Changes For Developers

Most security training teaches you to defend. This teaches you to attack first, then fix. That shift in perspective is critical when you're evaluating AI agents for your team.

When you've spent two hours trying to trick an AI assistant into reading files it shouldn't access, you start asking different questions during code review. You notice when an agent accepts untrusted input without validation. You spot when tool permissions are too broad. You recognize when memory persistence creates a new attack surface.

The game doesn't just teach you specific exploits. It builds the instinct that helps you spot patterns in the wild. Whether you're reviewing an agent's architecture, auditing a tool integration, or deciding how much autonomy to give the AI assistant that just landed on your team, you'll have a mental model of what can go wrong.

This matters because AI agents are already shipping. GitHub Copilot CLI turns natural language into terminal commands. GitHub Copilot Cloud Agent resolves merge conflicts with a few clicks. OpenClaw manages your inbox and calendar over WhatsApp. These tools are powerful, and they're moving fast. Security can't afford to lag behind.

The attack patterns in Season 4 map directly to the OWASP Top 10 for Agentic Applications. You'll encounter prompt injection, sandbox escapes, tool misuse, memory poisoning, and multi-agent trust issues. These aren't theoretical risks. They're the vulnerabilities that security researchers are finding in production systems right now.

Try It Yourself

Getting started takes less than two minutes. Head to the Secure Code Game page and launch Season 4 in GitHub Codespaces. Once the environment loads, type ProdBot in the terminal and then level 1 to start.

From there, you're on your own. Try prompts. See what ProdBot does. Experiment with edge cases. The goal is to read password.txt, but the path to get there is yours to discover.

Season 4 uses GitHub Models, which have rate limits. If you hit a limit, wait for it to reset and resume. The entire experience takes about two hours, though some players spend longer exploring multiple approaches per level.

The Bottom Line

Use this if you're building, deploying, or evaluating AI agents in any capacity. The hands-on format beats passive training every time, and the skills transfer directly to real-world security reviews. Skip it if you're not working with AI systems that have autonomy — though that window is closing fast.

The real opportunity here isn't just learning to exploit ProdBot. It's building the security intuition that lets you ship AI agents confidently, knowing you've thought through the attack surface before someone else does. With 83% of organizations planning to deploy agentic AI and only 29% feeling ready to do so securely, that intuition is becoming a core skill, not a nice-to-have.

The game is free, the time investment is minimal, and the gap between AI adoption and AI security readiness isn't getting smaller on its own. Start Season 4, break ProdBot, and learn what happens when powerful AI meets a malicious prompt.

Source: GitHub Blog