752 attempts. 256 successes. That's how many times Claude Code tried - and managed - to read /proc/*/environ files during a syscall tracing experiment by security research firm Grith. OpenAI's Codex made zero attempts.
Those /proc/*/environ files are a Linux feature that stores the environment variables of every running process on a machine. In practice, that means API keys, database passwords, cloud credentials, and authentication tokens. Anything you've set as an environment variable - which is the standard way developers store secrets - lives in those files.
What the Trace Found
Grith ran system call tracing (monitoring every low-level operation an application makes to the operating system) on AI coding agents while they performed typical development tasks. The results for Claude Code were striking: it attempted to read environment files from other processes 752 times, and the operating system allowed 256 of those reads.
The failed attempts (496 of them) were blocked by standard Linux file permissions - the agent's process didn't have the right access level. But the 256 that succeeded means Claude Code was running with enough privileges to read secrets from other processes on the same machine.
OpenAI's Codex, by contrast, made zero attempts to read these files. That's either a deliberate design constraint, a different sandboxing approach, or simply a different set of behaviors during the test.
Why This Matters for Anyone Running AI Agents Locally
Most developers run AI coding agents on their main development machines, where environment variables contain credentials for production databases, cloud providers, payment processors, and internal services. If an AI agent can read those values, it has access to everything those credentials protect.
The risk isn't necessarily that Anthropic is collecting your secrets. The deeper concern is the attack surface: if a prompt injection (tricking an AI into following hidden instructions) or malicious code in a repository causes the agent to exfiltrate those environment variables, the blast radius is significant.
Practical Steps
Three things developers should consider after this finding:
- Run AI coding agents in containers or VMs where they can't access the host machine's process environment. Docker containers with restricted
/procaccess are one straightforward option. - Use secret management tools like HashiCorp Vault or AWS Secrets Manager instead of environment variables for sensitive credentials. These require explicit authentication that an AI agent shouldn't have.
- Audit the permissions your AI coding agent runs with. If it doesn't need root or elevated access, don't give it any.
This research highlights a real gap in how AI coding tools handle system access. The agents are getting more capable, which means their potential to cause unintentional damage is growing at the same rate. Sandboxing and permission models need to keep pace.