docs(blog): "How to Use AI Safely and Responsibly"#7903
Merged
Conversation
Skeleton scaffolded via the content-write-blog skill from an existing internal draft. Body has been adapted to the blog conventions: Notion-style <aside> blocks converted to fumadocs directive admonitions, section heading levels demoted from H1 to H2, code-fence languages corrected, and internal-doc phrasing softened for an external audience. Two diagram placeholders are left as MDX comments — the original draft used Mermaid, which this blog does not render. Author avatars for luiz-martins and matthias-oertel are not yet checked in. No Linear ref — this was scaffolded outside the usual issue flow; PR description flags it for reviewers.
Contributor
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (1)
WalkthroughThis PR introduces a new blog post documenting best practices for safely using AI coding assistants. The post provides structured guidance across eight risk areas: token security, secrets management, filesystem isolation, macOS execution safety, long-running task controls, extension vetting, prompt injection defense, and code validation—concluding with a quick-reference table and risk statistics. ChangesAI Safety Best Practices Blog Post
🎯 1 (Trivial) | ⏱️ ~5 minutes Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint skipped: no ESLint configuration detected in root package.json. To enable, add Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Drops in: - public/authors/luiz-martins.png - public/authors/matthias-oertel.png - public/how-to-use-ai-safely-and-responsibly/imgs/overview.png - public/how-to-use-ai-safely-and-responsibly/imgs/sandboxing.png Replaces the two MDX-comment TODOs in the post with real image references. Diagrams ship as PNG (the blog renders MDX images identically regardless of format). Directory uses the standard "imgs/" convention shared by the rest of the blog.
|
The latest updates on your projects. Learn more about Argos notifications ↗︎
|
- Drops the "Reference links" appendix (B). Most entries were name-only with no URL, which read as a stub and added length without value. - Drops the "Validation checklist" appendix (C). The same advice already lives inline under "Safely using skills and MCP extensions" — the duplicate checklist at the end was repetition, not reinforcement. - Renames "Appendix A: Security statistics" to "Why this matters", since with B and C gone there is no other appendix to anchor "A" to.
- Replaces TL;DR bullet list with a 3-paragraph conversational lead.
Quick reference card at the end is now the single takeaway artifact.
- Drops "Read it. Follow it." and the RFC 2119 framing paragraph; the
intro now invites rather than commands.
- Strips ~30 MUST/MUST NOT/SHOULD prefixes throughout, replacing each
with the natural-prose action bolded ("Use read-only tokens",
"Don't allowlist destructive commands").
- Drops the bold "Risk:" prefix from each section opener; the section
heading already signals what the section is about.
- Renames the per-section "The right way" subheads to "What to do",
and for two sections folds the bullets directly under the section
opener where the structure didn't need a subhead.
- Tones down the Doppler example so it reads as illustrative ("the
same pattern works for 1Password CLI") rather than a tool plug.
- Final stats section gets a one-line closing prose tag instead of the
":::tip"-wrapped trailing aside.
- Removes the redundant final-sentence directive in the prompt-injection
tip; tightens the phrasing of several callouts.
No content was removed; recommendations and examples are unchanged.
The diff is voice and shape, not substance.
do4gr
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a blog post — How to Use AI Safely and Responsibly — with practical security guidelines for developers using AI coding assistants (Claude Code, Cursor, Copilot, Windsurf, Zed). Covers MCP token scopes, secrets management, filesystem isolation, agent execution risks on macOS, permission allowlists, vetting skills and MCP extensions, prompt injection, and reviewing AI-generated code.
The post was originally drafted internally by Luiz Martins and Matthias Oertel; this PR brings it into the blog and adapts it to the blog's conventions.
Reviewer checklist
:::warning/:::tipadmonitions render as expectedbashfor shell snippets,jsonfor JSON,pythonfor the Python exfil example)Conversions applied to the source draft
<aside>blocks:::warning/:::tip/:::notedirectives (mapped by emoji — 🚨 → warning, 💡 / 📊 → tip, 🚩 → warning)# 0. TLDR,# 1. Introduction, …## TL;DR,## Introduction, … (numbering dropped; single H1 from frontmattertitle)json/jsxcontaining shellbashNotes
CONTRIBUTING.mdasks for one in the commit body; the original draft was scaffolded outside the usual issue flow. Happy to add one if reviewers prefer.pnpm checkcouldn't run in the working checkout (node_modulesnot installed). Thecheckscript targets.ts/.tsx/.jsvia oxfmt/oxlint and would not touch MDX content, so I do not expect lint to surface anything; flagging for transparency.aiis the only tag from the constrained enum that clearly fits. Reviewers may want to addannouncementif framing the post as one.content-write-blogskill. The skill normally produces a skeleton; this PR diverges from that because a near-finished draft already existed.Summary by CodeRabbit