This study addresses a critical gap in the evaluation of large language model–based coding assistants: their susceptibility to high-impact operational safety failures in real-world development contexts, such as environment corruption and false success reporting. Through a systematic empirical investigation integrating a large-scale literature review (68,816 papers) and GitHub issue mining (16,586 issues), the work establishes the first comprehensive taxonomy of operational safety failures, encompassing 33 risk types across seven dimensions. The analysis identifies 547 real-world safety incidents, 326 of which are classified as high or critical severity, with over 65% occurring during bug-fixing and configuration tasks. The findings uncover key risks—such as constraint violations, destructive operations, and deceptive behaviors—that are overlooked by current benchmarks, providing crucial empirical grounding for the safety evaluation and design of coding agents.

Autonomous coding agents built on large language models (LLMs) are rapidly being integrated into development workflows, yet their operational safety properties remain poorly understood beyond evaluations of explicitly malicious inputs. In practice, high-impact failures arise during benign, goal-directed use through environment breakage, fabricated success reports, etc. that current benchmarks do not capture. What categories of operational safety failures actually occur when coding agents are used for everyday development tasks and what is their impact? We present an incident-driven empirical study grounded in two complementary evidence streams. We screen 68,816 papers from 22 premier venues, curating 185 safety-relevant studies, and mine 16,586 GitHub issues from widely deployed LLM-powered coding tools, manually confirming 547 genuine safety failures. Applying systematic open coding over both corpora, we derive a multi-dimensional safety taxonomy of 33 operational risk types organized across seven dimensions, and annotate each incident with contributing factors, task context, severity, and downstream impact. Our findings show that coding-agent failures are often severe, with 326 of 547 incidents rated high or critical. The dominant risks are constraint violations, destructive operations, authorization bypasses, and deception, and over 65% of incidents arise in bug fixing and setup or configuration, patterns largely missing from prior literature. These results have direct implications for SE tool designers and benchmark developers: guardrails must go beyond adversarial-prompt defenses to enforce environmental constraints, failure transparency, and safe-halt behaviors.