Security: Agent output and temp files written to world-readable /tmp — should use restrictive permissions

Resolved 💬 5 comments Opened Feb 17, 2026 by mr-lodco Closed Apr 9, 2026

Problem

There are two layers of insecure temp file handling, stacked on top of each other.

Layer 1: /tmp/claude/ (the product's own output)

Claude Code writes agent task output to /tmp/claude/<project-path>/tasks/*.output. The directory is 755 and files are 644 — world-readable. The directory structure also encodes full filesystem paths to the user's projects (e.g., -Users-jsl-Work-V3-methods/), giving any local process a map of the user's work. This is the "intended" temp location and it's already unsafe.

Layer 2: /tmp/ itself (the model's scratch space)

On top of that, when the model needs to write intermediate artifacts — rendered images, JSON dumps, HTML, patches, base64 blobs, analysis text — it writes them directly to /tmp/ with default 644 permissions. These files contain project source code, API responses, debug traces, and other session context. There is no scoping, no cleanup, and no permission hardening. They sit alongside system files in a shared, world-readable namespace.

The result is that any local process can silently enumerate and read both Claude Code's own output and an unstructured pile of working files from every session the user has run. Files persist until reboot or manual cleanup.

Expected behavior

  • All Claude-written temp files — agent output and model-generated artifacts — should go to a single directory with 700 permissions (owner-only)
  • Prefer a location under ~/.claude/ or $XDG_RUNTIME_DIR rather than the shared /tmp namespace
  • Consider cleanup on session end, or at minimum on next launch

Environment

  • macOS (Darwin 24.6.0, arm64)
  • Claude Code CLI

---
Co-Authored-By: tmpsnitch

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗