Is Cline safe?
Cline executes file edits + shell commands without per-step approval. Larger blast radius than autocomplete-only tools. Safe with explicit allow-list + scoped credentials.
Cline is an autonomous-agent VS Code extension. It executes operations without per-step user approval. The blast radius is correspondingly larger than autocomplete-only tools. Safe IF you (1) configure auto-approve to exclude destructive operations, (2) use dev-only credentials, (3) review Cline's commits via Securie before merge.
How it fails in production
Agent executes destructive operation
Same class as SaaStr-Lemkin-Replit + PocketOS-Cursor: AI agent runs DROP / TRUNCATE / rm -rf because it interpreted ambiguous instructions.
Agent installs malicious MCP server
Cline supports MCP. Apr 2026 Anthropic MCP RCE + tool-poisoning class apply.
.cline/ credential capture
Same dot-directory pattern as `.claude/`, `.cursor/` — captures local config including occasional credentials.
How to ship safely on Cline
- Configure Cline auto-approve to exclude destructive operations (drop, truncate, delete, rm -rf)
- Use separate dev credentials, never prod
- Add `.cline/` to .gitignore + .npmignore
- Set per-session spend caps
- Securie reviews every Cline-committed change
agent-scope crate enforces compile-time destructive-scope guards; mcp-guard validates Cline's MCP server interactions; secret_scanner catches `.cline/` artifact inclusion.
Verdict
Cline is safe with allow-list discipline + scoped credentials. The autonomous-edit blast radius is real — treat Cline like a junior engineer with admin access: scope it down, review every change.