[BUG] Privacy & filesystem access | Claude Code requests macOS TCC access to Desktop / Documents / Downloads / iCloud Drive with no apparent trigger

Open 💬 2 comments Opened May 21, 2026 by abidikshit

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code triggered four macOS TCC (Transparency, Consent, and Control) permission prompts in sequence, requesting access to my Desktop, Documents, Downloads, and iCloud Drive folders. The prompts appeared mid-session without any apparent trigger — I was not asking Claude to look at files outside the current project working directory.

None of these four protected folders contain anything related to the project, and I had not run any command that should have caused filesystem access outside the project root. Denying all four prompts did not cause any visible error in my session, suggesting the access was not strictly required for the work I was doing.

These four folders are macOS's most privacy-sensitive user-data locations. Granting blanket access exposes personal documents, iCloud-synced files from other devices, downloads (statements, invoices, credentials), and anything saved to Desktop. A CLI tool scoped to a project directory should not need any of them.

What Should Happen?

Either:

Claude Code should not request these permissions at all unless a specific user-issued command requires access to those locations.
OR the prompt should clearly state which feature / tool / subsystem is requesting the access, with the ability to deny without breaking the session and a path to grant scoped access per-feature rather than blanket folder access.
In either case, the prompts should not arrive in a batch with no in-app explanation. A new user seeing four "give me access to your personal folders" prompts in sequence will reasonably uninstall the tool.

If this is intentional and there's a legitimate reason for it, please document it in the Claude Code docs under a "Privacy & filesystem access" section so users can read about it before consenting.

Error Messages/Logs

No errors in the Claude Code session — denying the prompts did not surface any failure. The session continued to work normally for the project I was focused on.

The macOS prompt text (visible at the system level) was the standard:

"Claude Code" would like to access files in your Desktop folder.
"Claude Code" would like to access files in your Documents folder.
"Claude Code" would like to access files in your Downloads folder.
"Claude Code" would like to access your iCloud Drive.

No additional reason text was shown beyond the default macOS template.

Steps to Reproduce

Unclear — the prompts appeared without an obvious trigger. What I was doing leading up to them:

Working with a Vite + React + Cloudflare Workers project
Standard editing of files in src/
Running npm test, npm run build, and various git/gh commands inside the project
Having a long conversation with Claude about code changes, releases, PR management
Several Claude Code plugins / skills were active in the session — including auto-injected suggestions from vercel-plugin (which kept suggesting Vercel/Next-related skills despite this being a Cloudflare project)
At some point during normal use, the four TCC prompts appeared in sequence
I cannot pinpoint the exact command or model action that triggered them. If there is a verbose / debug log mode that records every filesystem access attempt or every skill/plugin filesystem call, please tell me how to enable it and I will re-run to capture the trigger.

Possible suspects worth investigating:

A bundled skill or plugin scanning ~/ for related projects
An MCP server attempting filesystem indexing outside the working directory
A diagnostic / telemetry feature
An auto-suggestion engine looking for related repos
A glob pattern accidentally rooted at ~/ instead of the project dir

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

2.1.144

Claude Code Version

2.1.144

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Why I am filing this rather than just disabling the tool:

Claude Code is otherwise working well for me; I am invested in it. But mid-session TCC prompts for personal folders unrelated to the working directory are exactly the kind of behavior that gets a tool flagged by IT / security teams at any company. If this is intentional, please document it. If it is unintentional, please trace which subsystem requested it.

What I think the investigation should check:

Is any built-in feature reading ~/ (the user's home directory) rather than the working directory?
Are any of the active skills / plugins / MCP servers scanning sibling directories?
Is there a hidden onboarding / first-run filesystem-scan that runs lazily?
Does the autocomplete / file-discovery feature index outside the working directory?
Does the project-detection logic (e.g., looking for similar projects) walk up into the home directory?
Mitigation I have applied:

Denied all four TCC prompts
Will leave them denied until a Claude Code change documents why they are needed
Claude Code continues to work normally for my project-scoped work
Project context for reproduction (if helpful):

Security context:

This deserves higher visibility than a normal feature-request bug. macOS users who decline these prompts may have a degraded experience that they cannot debug. macOS users who accept them are granting blanket personal-data access to an LLM-driven agent that may relay portions of file contents to a model. The security ergonomics of this matter and merit a clear path forward — either documentation, scoped permissions, or removal of whatever subsystem is making the request.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗