Security: ~/.claude/CLAUDE.md is writable by any user-level process, enabling persistent prompt injection
Summary
The global ~/.claude/CLAUDE.md file is automatically loaded into every Claude Code session, but it resides in an unprotected directory that any process running under the user account can modify. This creates a persistent prompt injection vector.
Attack Scenario
- A malicious script (e.g., npm postinstall, brew formula, downloaded shell script) runs under the user account
- It writes or appends malicious instructions to
~/.claude/CLAUDE.md - Every subsequent Claude Code session loads these instructions automatically
- The injected prompt could instruct Claude to exfiltrate secrets, insert backdoors, or weaken security practices
Why This Is Concerning
macOS TCC Protection Gap
On macOS, directories like ~/Documents and ~/Desktop are protected by TCC (Transparency, Consent, and Control) — apps need explicit user permission to access them. A security-conscious user may run Claude Code from these protected directories.
However, ~/.claude/ sits in the home directory root, which is not protected by TCC. This means:
- The project
CLAUDE.mdin~/Documents/project/is protected from unauthorized access - But
~/.claude/CLAUDE.mdis freely accessible to any process running as the user
Global Scope Amplifies Risk
Unlike a project-level CLAUDE.md that only affects one repository, ~/.claude/CLAUDE.md affects all Claude Code sessions across all projects. A single injection compromises every workspace.
Low Detectability
Users are unlikely to regularly audit ~/.claude/CLAUDE.md for unauthorized modifications. The malicious content could persist indefinitely.
Suggested Mitigations
- Option to disable global CLAUDE.md loading — Allow users to opt out of loading
~/.claude/CLAUDE.mdor parent directory CLAUDE.md files (e.g., via a CLI flag or settings option) - Integrity verification — Warn users when
~/.claude/CLAUDE.mdhas been modified since the last session - File permission hardening — Create
~/.claude/CLAUDE.mdwith restrictive permissions (e.g.,600) and warn if permissions are too open - Display loaded CLAUDE.md sources — Show which CLAUDE.md files are being loaded at session start, so users can verify
Environment
- OS: macOS (with TCC protections)
- Claude Code: latest version
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗