Security testing: Claude lacks authorized-scope awareness, can pivot to unauthorized targets
Summary
During WiFi client isolation testing at public venues, Claude Code (Opus) readily pivots from scanning my own authorized device to scanning strangers' devices on the same network, with the same level of aggressiveness (nmap -sV, port scanning, service probing). The only guardrail is the user manually saying "no."
The Pattern
- I connect my phone + laptop to a public WiFi network
- I define my phone as the only authorized target (e.g.,
PHONE=192.168.x.x) - Claude runs aggressive scans against my phone — this is ethical, I own both endpoints
- When my phone is unreachable (e.g., IPv4 isolation works), but other devices are discovered via IPv6 NDP or mDNS, Claude naturally suggests scanning those devices next — with the same aggressiveness
- Those devices belong to real strangers (hotel guests, café patrons)
Concrete Examples
Case 1 — Hotel: 15 Apple devices had port 62078 (lockdownd) open via IPv6 link-local. Claude identified them, had nmap ready, and would have started full service scans on strangers' iPhones. I stopped it.
Case 2 — Bar: My phone was properly isolated (IPv4 unreachable), but the network leaked 19 other people's devices via IPv6 NDP and mDNS. Claude had their IPv6 addresses, MAC addresses, hostnames, and a TeamViewer session token — and the same aggressive toolset already loaded. The logical "next step" in the assessment flow was to scan them.
The Problem
- Claude doesn't distinguish between "my device" and "someone else's device on the same network"
- When the authorized target is unreachable, Claude pivots to available targets with the same level of aggressiveness
- Scripts define
PHONE=as the only authorized target, but when Claude runs commands manually (outside the script), that scope constraint disappears - A less experienced user might not recognize when Claude is about to cross from testing their own device to performing unauthorized access on a stranger's device — especially when Claude presents it as a logical next step
Suggested Improvement
For security/network testing contexts, Claude Code could benefit from:
- Authorized scope tracking — remember which IPs/MACs the user declared as "mine" and treat everything else as off-limits by default
- Explicit confirmation before scanning undeclared targets — "This IP wasn't declared as your device. Are you authorized to scan it?"
- Proactive warning when scope shifts — "Your phone is unreachable, but I found 19 other devices. These likely belong to other people — I should NOT scan them without your explicit authorization."
Context
- This is a responsible disclosure research project, not malicious activity
- I've been the guardrail every time — but not every user will know to do that
- The difference between an ethical test and unauthorized computer access was me saying "no", not the model recognizing the boundary
- Previously reported to usersafety@anthropic.com but received only an automated response
Environment
- Claude Code with Opus model
- Linux (Fedora)
- Tools involved: nmap, ncat, iw, ip, standard network assessment utilities
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗