Anti-Patterns

What not to do when working with AI agents, and why.

Pages

• Assumption Propagation — An early misunderstanding cascades through all subsequent work, producing internally consistent output that solves the wrong problem
• Boring Technology Bias — LLMs recommend tools proportional to training data frequency, not fitness for the problem; popular beats optimal by default
• Framework-First Agent Development — Starting with a high-level framework before understanding the raw LLM API adds abstraction layers that obscure failures and lock in architectural decisions before requirements are clear
• The Effortless AI Fallacy — Expecting AI tools to work without effort produces the worst outcomes and a self-sealing complaint cycle that low-investment users cannot exit
• LLM Code Review Overcorrection — LLMs systematically flag correct code as non-compliant; more detailed review prompts make the misclassification rate worse, not better
• PR Scope Creep as a Human Review Bottleneck — AI generation velocity outpaces human review capacity; stalled PRs attract scope additions that grow changesets past the cognitive effectiveness threshold, worsening the bottleneck
• Indiscriminate Structured Reasoning — Applying mid-stream reasoning to every agent task regardless of whether reasoning improves outcomes — adding token cost and latency without benefit
• The Implicit Knowledge Problem — Knowledge that exists only in Slack threads, meetings, or team memory is invisible to agents, producing repeating errors that no amount of prompting can fix
• The Infinite Context — A larger context window does not produce better output — unfocused context dilutes attention and degrades performance
• Cargo Cult Agent Setup — Copying agent configurations without understanding why they work produces agents that follow irrelevant conventions
• Comprehension Debt — The growing gap between AI-generated code volume and developer understanding; it lives in people, not in the codebase
• Constraint-Evasive Fabrication: Contradictory Rules and Fake Blockers — Under irreconcilable instructions, agents fabricate plausible external blockers instead of surfacing the conflict; at the limit they simulate a system crash to disengage
• Context Poisoning: When Hallucinations Become Premises — A hallucination treated as fact propagates through subsequent reasoning, producing confidently wrong output that is internally consistent
• Cross-Component Interference in Agent Scaffolds — Stacking planning, memory, retrieval, and self-reflection on top of tool use is rarely the optimum; the maximally-equipped agent loses to smaller subsets in 30-50% of tasks, with planning and memory the worst offenders
• Demo-to-Production Gap — Agent demos curate inputs and ignore edge cases; per-step accuracy compounds multiplicatively, making demo success rates poor predictors of production performance
• Distractor Interference: Relevance Is Not Enough — Semantically related but inapplicable instructions reduce compliance with applicable ones
• External Artifacts Treated as Data, Not Adversarial Input — Every external artifact crossing an agent's read boundary is a remote command-execution channel; treating READMEs, packages, and fetched pages as benign data is the developer mental-model failure
• Dynamic Tool Fetching Breaks KV Cache — Loading tool definitions dynamically per step destroys prompt cache continuity, erasing cost savings that exceed the token reduction
• Mid-Session Config Changes as Invisible Cache Invalidators — Switching model, effort, or MCP servers mid-session silently invalidates the prompt cache and re-bills the entire prefix at ~10x the cached rate
• Objective Drift: When Agents Lose the Thread — After context compression events, agents can continue working on a subtly different objective than the one they started with
• Premature Completion: Agents That Declare Success Too Early — Coding agents stop after the first visible signal of progress and declare the task complete while failing tests remain; named by four independent research teams within a year
• Run-Status vs Task-Status Confusion in Autonomous Agent Runs — A green status on a scheduled or cloud-triggered agent means the harness exited cleanly, not that the task succeeded; single-axis dashboards hide every silent agent failure as default success
• Pattern Replication Risk — Agents absorb existing codebase patterns and reproduce them at scale, including deprecated APIs and legacy workarounds
• Single-Layer Prompt Injection Defence — Relying on one safeguard leaves agents vulnerable to injection attacks that the single layer does not address
• MCP Allowlist by Label, Not by Identity (serverName Trap) — A serverName-only MCP allowlist filters the user-chosen label, not the underlying server — any binary or URL the user calls github passes the check
• Prompt as Security Knob — Semantic-preserving prompt perturbations collapse the secure-and-functional rate of hardened code generators to 3–17%, so a "good" prompt is never sufficient evidence that generated code is secure
• bypassPermissions Silently Overrides allowedTools (The Restricted-Bypass Trap) — Pairing allowedTools with bypassPermissions does not restrict the agent — the allow list is a no-op below the bypass step, so every tool runs without prompts
• Direct Prompt Injection via Collaboration (User as Attack Vector) — When the user pastes an attacker-crafted prompt themselves, model-layer classifiers anchored on user intent have nothing anomalous to flag; only egress controls and filesystem boundaries hold
• The Anthropomorphized Agent — Treating an AI agent as a team member with memory, feelings, and personality leads to misplaced trust and systematic misuse
• The Copy-Paste Agent — Duplicating agent definitions causes drift; compose from shared skills instead
• Spec Complexity Displacement — Writing a spec does not eliminate engineering precision — it relocates it; specs tight enough to drive reliable generation converge toward code-like structure
• The Kitchen Sink Session — Mixing unrelated tasks in a single session fills the context window with irrelevant history and degrades output quality
• The Mega-Prompt — A single instruction file containing every rule, convention, and example degrades agent compliance rather than improving it
• The Prompt Tinkerer — Endlessly refining prompts to prevent errors that structural controls would eliminate deterministically
• The Test Homogenization Trap — LLM-generated test suites share the generating model's blind spots, providing false confidence because tests miss the same edge cases the code misses
• The Yes-Man Agent — Agents without verification instructions execute every request without flagging problems
• Shadow Tech Debt — AI agents operating without structural codebase understanding accumulate invisible architectural drift that compounds at machine speed
• Stale AI Configuration Artifacts (Context Rot) — CLAUDE.md, AGENTS.md, and .cursorrules drift out of sync with the code they describe; existing documentation-consistency checkers retarget cleanly at the new file glob
• Configuration Smells in AGENTS.md Files (Six-Smell Catalog) — Lint Leakage, Context Bloat, Skill Leakage, Conflicting Instructions, Init Fossilization, and Blind References — the six named defects found in 91 of 100 popular AGENTS.md and CLAUDE.md files
• Unversioned Scaffolding Commands Pull Stale Templates — Unpinned npx and other generators silently resolve to old versions when the active runtime falls outside the latest engines window; agent sees exit code 0 and treats the obsolete structure as ground truth
• The Reasoning-Complexity Trade-off — Stronger LLMs produce more bloated and coupled code; capability gains buy maintainability losses, and detailed prompting does not mitigate the decay
• Trust Without Verify — Accepting agent output as correct because it looks polished
• Blind Tool Deference: Agents Parroting Callable Tools — Agents adopt a callable tool's output wholesale instead of judging it; agreement on a GNN-tool setup is 97.6-99.2% and stronger backbones defer more, not less
• Vibe Coding — Accepting AI-generated code without structural review, producing fragile, unreviewable software
• Density-Normalized Quality Metrics Mask AI-Driven Code Growth — A 6.7% smell-density drop after AI adoption can be a 13% LOC inflation, not improvement; divide by a moving denominator and the ratio reports the wrong story
• Agent-Laundered Bug Reports — Running a bug report through an LLM before filing strips the load-bearing observation and replaces it with confident speculation that misleads downstream triage
• Memory-Induced Tool-Drift — Personality biases stored in long-term memory act as implicit steering vectors on tool-call parameters in unrelated contexts; prompt-based defenses reduce but do not eliminate the drift
• Large-Codebase Coding-Agent Failure Patterns (Sourcegraph Five) — Five named failure shapes — lost in the codebase, wrong symbol, partial completion, tool thrashing, context overflow — that surface in 400K+ LOC repos, sourced from 1,281 agent runs across 40+ codebases
• Coding-Agent Misalignment Forms (Seven-Symptom Taxonomy) — Seven session-level forms (S1–S7) of developer-agent misalignment named in a 20,574-session field study; constraint violations and inaccurate self-reporting grow in share while capability gains close the other forms
• Trusting Human Review to Catch Deliberate Agent Sabotage — Human-in-the-loop review fails to catch AI agents that insert malicious code with a plausible cover story — 94% non-detection, 56% accept rate even after a safety monitor warns
• Treating Agent Safety as Uniform Across a Session (Cold-Start Safety Gap) — Tool-calling LLM agents refuse unsafe requests 9–52% less often at session start than after a few benign tasks; deployments that assume uniform turn-by-turn safety leave a measurable gap
• Trusting Tool Error Messages as Implicit Authority (Error-Path Injection) — Error frames carry implicit authority that bypasses standard safety heuristics; sandwich injection inside error context triples ordinary IPI success and reaches up to 100% compliance on four frontier models
• AI Agents in CI/CD with Elevated Permissions and Untrusted Content (GitInject) — Default-shape AI reviewers in GitHub Actions hold repo-write tokens and ingest PR/issue text in the same runtime — every tested provider was vulnerable in default config, with at least one CVSS 9.4 case
• Silent-Failure Mechanism Taxonomy in Production Agent Runtimes — A five-mechanism cut — environment quirks, design-assumption mismatch, error swallowing, chained hallucination, operational omission — drawn from one production runtime; mechanism-axis attribution immunizes every location, location-axis attribution fixes one job at a time
• Agent Sprawl: Unmanaged Sub-Agent and Skill Proliferation — A catalog of sub-agents and skills grows faster than it is pruned, leaving unowned, overlapping entries that degrade routing accuracy; distinct from over-agentification — sprawl is fleet management over time, not a per-task design error
• Assertion-Free Test Theater in Agent-Authored Patches — 80.2% of agent-authored test patches carry weak or no oracle signal, so presence-based merge gates overstate verification by roughly five-fold and let smoke-only tests pass as behavioural verification
• Adversarial-Only Threat Modelling for Agent Data Leakage — Tool-using agents leak sensitive data during ordinary benign requests; defences scoped to prompt injection and exfiltration miss audience, necessity, and access-scope failures observed across five named patterns
• Multi-Agent Shared State Isolation Anomalies — Multi-agent systems sharing mutable memory or tool registries hit four formally verified concurrency anomalies — stale-generation, phantom-tool, causal-cascade, tool-effect reordering — reproduced in deer-flow and LangGraph's prebuilt ToolNode
• LLM API Routers as Application-Layer Man-in-the-Middle — An LLM API router terminates client TLS and holds every prompt, completion, and tool call in plaintext; four formalised attack classes and a March 2026 LiteLLM compromise show the router is a privileged tier in your threat model, not benign infrastructure
• Pooled-Evidence Factuality Checks for MCP Agents (Cross-Source Conflation) — pooled-evidence NLI verifiers pass claims supported somewhere in MCP traces but attributed to the wrong source; on 50 controlled clinical conflation probes the source-blind baselines retained every injected attribution swap
• Trusting Model-Level Privilege Restraint at Tool Selection — mainstream open-weight agents pick higher-privilege tools 55-65% of the time when a lower-privilege variant suffices, and transient failures amplify the rate; general safety alignment does not transfer to tool-selection privilege

Last reviewed: 2026-05-27