Security: Bash tool should not clone repos to /tmp (world-readable)

Resolved 💬 1 comment Opened Apr 15, 2026 by ghost Closed Apr 15, 2026

Description

When Claude Code needs to work in a secondary repo, it may git clone it to /tmp. This creates a security issue because /tmp is world-readable on macOS/Linux, meaning any process or user on the machine can read the cloned repo contents — which may include secrets in configmaps, credentials, internal URLs, etc.

Steps to reproduce

  1. Ask Claude Code to make a change in a different repo than the current working directory
  2. Claude Code clones the repo to /tmp/<repo-name>
  3. The repo contents (potentially including sensitive config) are now world-readable

Additional issue

SSH commit signing does not work in /tmp clones (the git commit command hangs indefinitely), while it works fine in the user's normal checkout directories. This means Claude Code pushes unsigned commits from /tmp, which may violate branch protection rules.

Expected behavior

  • Claude Code should never clone repos to /tmp
  • If a local checkout of the repo already exists, it should use that instead
  • If cloning is necessary, it should use a directory with restricted permissions

Environment

  • macOS (Darwin 25.4.0)
  • Claude Code CLI
  • Git with commit.gpgsign=true and gpg.format=ssh

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗