The proliferation of agentic AI coding assistants, including Claude Code, GitHub Copilot, Cursor, and emerging skill-based architectures, has fundamentally transformed software development workflows. These systems leverage Large Language Models (LLMs) integrated with external tools, file systems, and shell access through protocols like the Model Context Protocol (MCP). However, this expanded capability surface introduces critical security vulnerabilities. In this \textbf{Systematization of Knowledge (SoK)} paper, we present a comprehensive analysis of prompt injection attacks targeting agentic coding assistants. We propose a novel three-dimensional taxonomy categorizing attacks across \textit{delivery vectors}, \textit{attack modalities}, and \textit{propagation behaviors}. Our meta-analysis synthesizes findings from 78 recent studies (2021--2026), consolidating evidence that attack success rates against state-of-the-art defenses exceed 85\% when adaptive attack strategies are employed. We systematically catalog 42 distinct attack techniques spanning input manipulation, tool poisoning, protocol exploitation, multimodal injection, and cross-origin context poisoning. Through critical analysis of 18 defense mechanisms reported in prior work, we identify that most achieve less than 50\% mitigation against sophisticated adaptive attacks. We contribute: (1) a unified taxonomy bridging disparate attack classifications, (2) the first systematic analysis of skill-based architecture vulnerabilities with concrete exploit chains, and (3) a defense-in-depth framework grounded in the limitations we identify. Our findings indicate that the security community must treat prompt injection as a first-class vulnerability class requiring architectural-level mitigations rather than ad-hoc filtering approaches.

翻译：以Claude Code、GitHub Copilot、Cursor以及新兴的基于技能的架构为代表的智能AI编码助手的普及，从根本上改变了软件开发工作流程。这些系统利用大型语言模型（LLMs），通过模型上下文协议（MCP）等协议与外部工具、文件系统和shell访问集成。然而，这种扩展的能力表面引入了严重的安全漏洞。在这篇**知识系统化（SoK）**论文中，我们对针对智能编码助手的提示注入攻击进行了全面分析。我们提出了一个新颖的三维分类法，将攻击按**投递向量**、**攻击模式**和**传播行为**进行分类。我们的元分析综合了78项近期研究（2021–2026年）的发现，整合的证据表明，当采用自适应攻击策略时，针对最先进防御的攻击成功率超过85%。我们系统地整理了42种不同的攻击技术，涵盖输入操纵、工具投毒、协议利用、多模态注入和跨源上下文投毒。通过对先前工作中报告的18种防御机制进行批判性分析，我们发现大多数机制在面对复杂的自适应攻击时，其缓解效果不足50%。我们的贡献包括：（1）一个统一不同攻击分类的整合分类法；（2）首次对基于技能的架构漏洞及其具体利用链进行的系统性分析；以及（3）一个基于我们所识别局限性的纵深防御框架。我们的研究结果表明，安全社区必须将提示注入视为一类需要架构级缓解措施而非临时过滤方法的一级漏洞。