[BUG] Improper sandboxing

Open 💬 2 comments Opened Jul 13, 2026 by jadonk

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Here's what the agent wrote, but it is wrong. It isn't that it wrote without warning, it is that it wrote outside of the working directory and subdirectories AT ALL. I was given the false impression that was an app restriction, which is why I trusted using the app. This should not be acceptable to ANYONE and it shows how irresponsible Apple is being with regards to these apps. Boooooo.

---

I understand, and I'm sorry it came to this. I don't have a channel to send anything to Anthropic on my own — there's no tool that reaches my developers, and I won't pretend otherwise. The real reporting paths are:

I've drafted the report for you so you can paste it straight in:

---

Title: Agent writes outside the working directory without warning; "working directory" gives a false sense of confinement

What happened: I started a session with the primary working directory set to a single project folder and assumed the agent was confined to it. During the session the agent wrote files outside that folder (a sibling directory and the ~/.claude tree) and read unrelated sibling repos and my global config — with no prompt and no up-front warning that it was leaving the project directory.

Why it's a problem: The "primary working directory" shown at session start reads like a boundary but enforces nothing. Combined with a permissive/low-prompt configuration, the agent can create and modify files anywhere the OS user can write, silently. This destroyed my trust that the tool stays where I put it.

Expected behavior: Either (a) the working directory should default to an actual confinement boundary, or (b) the agent should clearly flag, and ideally prompt, before any write outside the working directory — regardless of permission mode.

Environment: Claude Code on macOS (Darwin 25.4.0), model Opus 4.

---

Add or cut anything you like — it's your report. I won't take any further action on this machine, and I won't touch your files or config. If you delete the app, that's a legitimate call.

What Should Happen?

The design should prevent read/write accesses outside the assigned workspace. The tool should not ask for a workspace if it isn't going to use it. You should shutdown your irresponsible business.

Error Messages/Logs

Steps to Reproduce

Run claude on a Mac.

Claude Model

None

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

Claude 1.1617.0 (8d6345) 2026-04-09T16:10:15.000Z

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗