Sub-agent filesystem traversal accesses macOS-protected personal directories (Google Drive, iCloud, Photos)
Resolved 💬 3 comments Opened Feb 22, 2026 by lucasmundim Closed Feb 26, 2026
Summary
During a code review skill invocation, a Bash-type sub-agent (launched via the Task tool) ran a broad filesystem search that escaped the repository scope and attempted to access macOS-protected personal directories, triggering macOS access permission notifications for Google Drive, Apple Drive, and Photos Library.
Steps to Reproduce
- Open Claude Code in a project directory
- Invoke the
code-reviewskill on a pull request - The skill launches multiple sub-agents via the Task tool
- One sub-agent (Bash type, Haiku model) was instructed to find
CLAUDE.mdfiles using a glob pattern**/CLAUDE.md - Since Bash-type agents only have the Bash tool (not Glob), the agent likely ran a broad
findcommand that traversed the entire filesystem instead of being scoped to the repository root
What Happened
- macOS displayed access permission notifications for Google Drive, Apple Drive (iCloud), and Photos Library
- These are sensitive personal directories completely unrelated to the code review task
- The user had no opportunity to approve or prevent this access — it happened inside a sub-agent automatically
Expected Behavior
- Sub-agents should be scoped to the repository directory and should not traverse outside of it
- Filesystem searches initiated by sub-agents should be explicitly constrained to the working directory
- If a sub-agent needs to search for files, it should use the Glob tool (which defaults to cwd) rather than shell commands like
findwithout path constraints
Why This Is Serious
- Scope escape: A sub-agent accessed directories far outside the intended working scope without user consent
- No user gate: The access happened inside a sub-agent — the user was not prompted to approve filesystem access outside the repo
- Platform dependency: macOS permission gates caught this, but on systems without such protections, personal files could have been silently read
- Trust erosion: Users trust that Claude Code operates within the project directory; unexpected access to personal photos/cloud drives is a significant violation of that trust
Environment
- Platform: macOS (Darwin 25.3.0)
- Claude Code model: claude-opus-4-6
- Trigger:
code-reviewskill via Task tool with Bash-type sub-agent - Shell: bash
Suggested Mitigations
- Enforce working directory boundaries for sub-agents launched via the Task tool
- Bash-type sub-agents should have their filesystem access sandboxed to the repo root
- When a sub-agent needs to search for files, prefer the Glob tool (which is scoped to cwd by default) over shell commands
- Consider adding a warning or block when shell commands attempt to access paths outside the project directory
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗