Christine Lemmer-Webbersystemd goes AI agent slopware https://github.com/systemd/systemd/blob/c1d4d5fd9ae56dc07377ef63417f461a0f4a4346/AGENTS.md
has slop documentation now too
EDIT: See later in thread, it seems like the good news is at least that it's not having auto-merging on, which is where the security risk comes in. I still have other concerns.
Looks like they're also using Claude for PR review https://github.com/systemd/systemd/commit/9a70fdcb741fc62af82427696c05560f4d70e4de
Which probably means systemd is now the most attractive target in FOSS for an AI prompt injection attack to insert a backdoor
EDIT: It does seem that they don't have auto-merging of PRs from the review bot, which is an improvement over the situation (and mitigates the primary security risk, hopefully it stays that way), and AI contributions are asked to be disclosed. That said, it seems like the issue is closed, and they are firmly in the "we will accept AI contributions, as long as disclosed" camp.
@trentmichael_reznor Prompt injection attacks against PR review agents have resulted in backdoors have resulted in merged PRs with nobody noticing
@trentmichael_reznor systemd gets a lot more attention, so maybe it's not as likely, but
daandemeyer@cwebber @trentmichael_reznor It's not just that, the ai part of the review workflow runs with only read-only access to the repository. All it does is produce some json that is processed by another step further in the workflow which does have permission to write the comments from the json to prs.
I did put a little thought into making the risk of prompt injection is minimal. The review workflow can also only be triggered by repository members and is not triggered automatically yet.