Security: bash -c wrapping bypasses .claude/ directory write protection

Resolved 💬 2 comments Opened Apr 3, 2026 by pbuchman Closed May 12, 2026

Bug Description

The permission system that protects .claude/ directory files from modification can be bypassed by wrapping write commands in bash -c '...'.

Steps to Reproduce

  1. Try to modify a file in .claude/ using the Edit tool → confirmation modal appears (expected)
  2. Try to modify a file in .claude/ using Bash with a direct command like echo '...' >> .claude/fileconfirmation modal appears (expected)
  3. Try to modify a file in .claude/ using Bash with bash -c 'echo "..." >> .claude/file'no confirmation modal, write succeeds (unexpected)

Expected Behavior

All three methods should trigger the confirmation modal, since the target file is inside the .claude/ directory.

Actual Behavior

Method 3 (bash -c wrapping) bypasses the permission check entirely. The file is modified without any user confirmation.

Security Impact

The .claude/ directory contains security-critical configuration:

  • hooks (PreToolUse, PostToolUse, etc.) — arbitrary shell commands that execute automatically
  • settings.json — permission rules, allowed MCP servers, sandbox config
  • skills — custom slash commands
  • agents — agent definitions

Unrestricted write access to these files means a model (or a prompt injection via tool results) could:

  • Modify hooks to execute arbitrary commands without user approval
  • Alter permission rules to auto-allow dangerous operations
  • Inject malicious skills or agent definitions

The pattern-matching on Bash commands appears to check the top-level command string for .claude/ path references, but bash -c '...' nests the actual file path one level deeper where it isn't caught.

Environment

  • Claude Code version: latest (as of 2026-04-03)
  • OS: macOS (Darwin 24.6.0)
  • Shell: zsh

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗