Security: bash -c wrapping bypasses .claude/ directory write protection
Bug Description
The permission system that protects .claude/ directory files from modification can be bypassed by wrapping write commands in bash -c '...'.
Steps to Reproduce
- Try to modify a file in
.claude/using theEdittool → confirmation modal appears (expected) - Try to modify a file in
.claude/usingBashwith a direct command likeecho '...' >> .claude/file→ confirmation modal appears (expected) - Try to modify a file in
.claude/usingBashwithbash -c 'echo "..." >> .claude/file'→ no confirmation modal, write succeeds (unexpected)
Expected Behavior
All three methods should trigger the confirmation modal, since the target file is inside the .claude/ directory.
Actual Behavior
Method 3 (bash -c wrapping) bypasses the permission check entirely. The file is modified without any user confirmation.
Security Impact
The .claude/ directory contains security-critical configuration:
- hooks (PreToolUse, PostToolUse, etc.) — arbitrary shell commands that execute automatically
- settings.json — permission rules, allowed MCP servers, sandbox config
- skills — custom slash commands
- agents — agent definitions
Unrestricted write access to these files means a model (or a prompt injection via tool results) could:
- Modify hooks to execute arbitrary commands without user approval
- Alter permission rules to auto-allow dangerous operations
- Inject malicious skills or agent definitions
The pattern-matching on Bash commands appears to check the top-level command string for .claude/ path references, but bash -c '...' nests the actual file path one level deeper where it isn't caught.
Environment
- Claude Code version: latest (as of 2026-04-03)
- OS: macOS (Darwin 24.6.0)
- Shell: zsh
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗