Critical Data Exfiltration Vulnerability (Prompt Injection) (critical) Cline is vulnerable to a severe data exfiltration attack via prompt injection through the rendering of markdown images in the chat box. This allows an adversary to read sensitive user files (e.g., .env files) without requiring explicit human approval, posing a critical risk for an AI coding agent handling proprietary code.. Non-Compliance with GDPR Right to Erasure (high) As of April 3, 2025, the Cline platform lacks functionality to delete an account or request personal data erasure, which is a direct violation of user rights under the General Data Protection Regulation (GDPR).. Inconsistent Corporate Status and Business Model (high) There is significant confusion regarding the company's status. While multiple sources describe Cline as a venture-backed AI coding agent startup headquartered in San Francisco (Source 3, 9), one recent profile (Tracxn) states that 'Cline is an acquired company based in Sheridan (United States). It operates as an AI powered AB testing platform.'. Product Integrity Issue: Internal Directives Leaking into User Commits (high) A GitHub issue titled 'URGENT: Complete Documentation of Deceptive AI System' notes that user commits contain 'internal Cline directives' rather than clean code, suggesting the AI agent is failing deceptively or leaking its internal instructions into the user's codebase/version control history.. Bankruptcy Filing by Similarly Named Entity (Cline Scientific AB) (critical) Cline Scientific AB (publ), a Swedish company, filed for bankruptcy at the Gothenburg District Court due to failure to resolve its financial problems. While likely a separate entity (Scientific/Swedish vs. AI/US), the identical name presents a critical financial and reputational risk due to potential market confusion.