Security: Agent output and temp files written to world-readable /tmp — should use restrictive permissions
Problem
There are two layers of insecure temp file handling, stacked on top of each other.
Layer 1: /tmp/claude/ (the product's own output)
Claude Code writes agent task output to /tmp/claude/<project-path>/tasks/*.output. The directory is 755 and files are 644 — world-readable. The directory structure also encodes full filesystem paths to the user's projects (e.g., -Users-jsl-Work-V3-methods/), giving any local process a map of the user's work. This is the "intended" temp location and it's already unsafe.
Layer 2: /tmp/ itself (the model's scratch space)
On top of that, when the model needs to write intermediate artifacts — rendered images, JSON dumps, HTML, patches, base64 blobs, analysis text — it writes them directly to /tmp/ with default 644 permissions. These files contain project source code, API responses, debug traces, and other session context. There is no scoping, no cleanup, and no permission hardening. They sit alongside system files in a shared, world-readable namespace.
The result is that any local process can silently enumerate and read both Claude Code's own output and an unstructured pile of working files from every session the user has run. Files persist until reboot or manual cleanup.
Expected behavior
- All Claude-written temp files — agent output and model-generated artifacts — should go to a single directory with
700permissions (owner-only) - Prefer a location under
~/.claude/or$XDG_RUNTIME_DIRrather than the shared/tmpnamespace - Consider cleanup on session end, or at minimum on next launch
Environment
- macOS (Darwin 24.6.0, arm64)
- Claude Code CLI
---
Co-Authored-By: tmpsnitch
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗