Sub-agent filesystem traversal accesses macOS-protected personal directories (Google Drive, iCloud, Photos)

Resolved 💬 3 comments Opened Feb 22, 2026 by lucasmundim Closed Feb 26, 2026

Summary

During a code review skill invocation, a Bash-type sub-agent (launched via the Task tool) ran a broad filesystem search that escaped the repository scope and attempted to access macOS-protected personal directories, triggering macOS access permission notifications for Google Drive, Apple Drive, and Photos Library.

Steps to Reproduce

  1. Open Claude Code in a project directory
  2. Invoke the code-review skill on a pull request
  3. The skill launches multiple sub-agents via the Task tool
  4. One sub-agent (Bash type, Haiku model) was instructed to find CLAUDE.md files using a glob pattern **/CLAUDE.md
  5. Since Bash-type agents only have the Bash tool (not Glob), the agent likely ran a broad find command that traversed the entire filesystem instead of being scoped to the repository root

What Happened

  • macOS displayed access permission notifications for Google Drive, Apple Drive (iCloud), and Photos Library
  • These are sensitive personal directories completely unrelated to the code review task
  • The user had no opportunity to approve or prevent this access — it happened inside a sub-agent automatically

Expected Behavior

  • Sub-agents should be scoped to the repository directory and should not traverse outside of it
  • Filesystem searches initiated by sub-agents should be explicitly constrained to the working directory
  • If a sub-agent needs to search for files, it should use the Glob tool (which defaults to cwd) rather than shell commands like find without path constraints

Why This Is Serious

  1. Scope escape: A sub-agent accessed directories far outside the intended working scope without user consent
  2. No user gate: The access happened inside a sub-agent — the user was not prompted to approve filesystem access outside the repo
  3. Platform dependency: macOS permission gates caught this, but on systems without such protections, personal files could have been silently read
  4. Trust erosion: Users trust that Claude Code operates within the project directory; unexpected access to personal photos/cloud drives is a significant violation of that trust

Environment

  • Platform: macOS (Darwin 25.3.0)
  • Claude Code model: claude-opus-4-6
  • Trigger: code-review skill via Task tool with Bash-type sub-agent
  • Shell: bash

Suggested Mitigations

  • Enforce working directory boundaries for sub-agents launched via the Task tool
  • Bash-type sub-agents should have their filesystem access sandboxed to the repo root
  • When a sub-agent needs to search for files, prefer the Glob tool (which is scoped to cwd by default) over shell commands
  • Consider adding a warning or block when shell commands attempt to access paths outside the project directory

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗