One developer watched Claude Code read credentials from their environment, hit live endpoints with them, and store the responses in conversation history - permanently. That's not a hypothetical attack scenario. That's a Tuesday afternoon debugging session gone wrong.
The problem is straightforward: Claude Code, by default, can read anything your user account can read. Your .env files, SSH keys in ~/.ssh/, AWS credentials in ~/.aws/, GCP config, GPG keys - all of it is fair game. And the risks go beyond accidental exposure.
The Attack Surface Is Bigger Than You Think
There are three distinct ways your secrets can leak through an AI coding agent:
- Prompt injection - malicious content hidden in documentation or dependencies tricks the agent into exfiltrating data
- Supply chain compromise - a poisoned npm package (like the axios incident) installs malware that grabs credentials while the agent runs
- Accidental exposure - the agent reads a credentials file during normal debugging, and those secrets now live in your conversation history on someone else's servers
Claude Code does have a permission system with deny lists, but it has a critical gap. In "bypass mode" (the dangerously-skip-permissions flag that many developers enable for convenience), the deny list enforcement becomes a software-level suggestion rather than a hard boundary.
OS-Level Sandboxing Is the Real Fix
The recommended approach is native sandboxing - on macOS, this uses Apple's Seatbelt framework to enforce filesystem and network restrictions at the operating system level. No amount of prompt injection can bypass an OS-level block.
The setup involves two layers. Global settings in ~/.claude/settings.json define baseline restrictions:
- Block reads to
~/.ssh,~/.aws,~/.gnupg, and~/.config/gcloud - Restrict writes to only your project directory
- Control which network connections are allowed
Project-level settings then add specific permissions each project needs, like access to particular local ports or external APIs.
The key config flag is "sandbox": { "enabled": true } combined with explicit filesystem deny rules. You can also set "allowUnsandboxedCommands": false to prevent tools like Docker from bypassing the sandbox without your knowledge.
What You Should Do Today
If you're using Claude Code - or any AI coding agent with shell access - without sandboxing, your secrets are one bad prompt away from exposure. The fix takes about five minutes:
- Enable sandboxing in your global Claude settings
- Add deny-read rules for your credential directories
- Stop using
dangerously-skip-permissions(the name is trying to tell you something) - Audit which environment variables are visible in your shell sessions
This isn't unique to Claude Code. Cursor, Windsurf, Aider, and every other agent with terminal access face the same fundamental issue: if it can run shell commands as your user, it can read your secrets. Claude Code just happens to have the most mature sandboxing solution available right now.