Security: Bash tool should not clone repos to /tmp (world-readable)
Resolved 💬 1 comment Opened Apr 15, 2026 by ghost Closed Apr 15, 2026
Description
When Claude Code needs to work in a secondary repo, it may git clone it to /tmp. This creates a security issue because /tmp is world-readable on macOS/Linux, meaning any process or user on the machine can read the cloned repo contents — which may include secrets in configmaps, credentials, internal URLs, etc.
Steps to reproduce
- Ask Claude Code to make a change in a different repo than the current working directory
- Claude Code clones the repo to
/tmp/<repo-name> - The repo contents (potentially including sensitive config) are now world-readable
Additional issue
SSH commit signing does not work in /tmp clones (the git commit command hangs indefinitely), while it works fine in the user's normal checkout directories. This means Claude Code pushes unsigned commits from /tmp, which may violate branch protection rules.
Expected behavior
- Claude Code should never clone repos to
/tmp - If a local checkout of the repo already exists, it should use that instead
- If cloning is necessary, it should use a directory with restricted permissions
Environment
- macOS (Darwin 25.4.0)
- Claude Code CLI
- Git with
commit.gpgsign=trueandgpg.format=ssh
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗