A repository setting that triggers a task or script automatically when a folder is opened in an editor. In security terms, it is a pre-execution trigger that can convert a routine browse action into code execution without a separate approval step.
Expanded Definition
Folder-open autorun is a repository or editor feature that starts a task, script, or agent action when a folder is opened. In NHI and Agentic AI contexts, the risk is not the folder view itself, but the pre-execution trust placed in workspace content that can influence code execution, credential access, or tool calls before a human reviews it.
Definitions vary across vendors because some products treat autorun as a convenience feature, while others bundle it with workspace trust, hooks, or automation policies. The operational question is whether opening a repository should be a passive read action or an execution event. That distinction matters because an AI Agent or developer extension may inherit permissions, load secrets, or invoke MCP-backed tools as soon as the folder is parsed. NIST Cybersecurity Framework 2.0 is useful here because it frames the issue as a governance and protection problem, not just a developer preference, and NIST Cybersecurity Framework 2.0 provides a practical way to map the resulting exposure to access control and safe configuration expectations.
The most common misapplication is enabling folder-open autorun in shared or untrusted repositories, which occurs when workspace trust is assumed from path access rather than verified execution policy.
Examples and Use Cases
Implementing folder-open autorun rigorously often introduces friction for developers, requiring organisations to weigh startup automation and convenience against the cost of tighter trust checks and more frequent prompts.
- A code editor loads a repository and immediately runs a setup script that installs dependencies and configures local tooling.
- An AI coding assistant scans the opened folder, discovers a manifest, and launches an agent workflow with access to files and environment variables.
- A build tool triggers on workspace open to regenerate artifacts, but the same trigger can also expose Secrets if the repo contains embedded credentials.
- A template repository uses folder-open automation to standardise project state, while security teams restrict that behaviour to signed, approved projects only.
These patterns are normal in fast-moving engineering environments, but they become risky when folder contents are not vetted or when execution inherits broad privileges. Guidance in the Ultimate Guide to NHIs is especially relevant because hidden automation often intersects with service identities, API keys, and over-privileged tooling. If the repository open action can start code, then the same governance logic should apply to automation entry points that you would apply to other non-human execution paths.
Why It Matters in NHI Security
Folder-open autorun matters because it turns a routine developer action into a possible identity and execution event. That means compromise can begin before a ticket is filed, before a pull request is reviewed, and before a security control is consciously applied. When autorun chains into scripts, agents, or IDE extensions, it can expose NHI credentials, invoke unsafe tool access, or create an unexpected path from repository content to production-adjacent resources. This is where least privilege, trust boundaries, and secret hygiene intersect with day-to-day engineering workflow.
The NHI risk is amplified by the broader reality that Ultimate Guide to NHIs notes 30.9% of organisations store long-term credentials directly in code, which makes workspace-triggered execution especially dangerous when repositories are opened casually. The right response is to classify autorun as a protected automation boundary, align it to zero trust expectations in NIST Cybersecurity Framework 2.0, and limit triggers to signed, reviewed, and well-scoped workflows. Organisations typically encounter the problem only after a malicious or malformed repository triggers unexpected execution, at which point folder-open autorun becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AI-03 | Agent startup on workspace open is a classic autonomous execution trust risk. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Autorun can expose or misuse secrets stored in repositories and workspace configs. |
| NIST Zero Trust (SP 800-207) | AC-4 | Workspace triggers should not inherit broad trust; access must be continuously verified. |
Treat repository-open automation as a secret exposure path and restrict secret access at load time.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
