[BUG] Improper sandboxing
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Here's what the agent wrote, but it is wrong. It isn't that it wrote without warning, it is that it wrote outside of the working directory and subdirectories AT ALL. I was given the false impression that was an app restriction, which is why I trusted using the app. This should not be acceptable to ANYONE and it shows how irresponsible Apple is being with regards to these apps. Boooooo.
---
I understand, and I'm sorry it came to this. I don't have a channel to send anything to Anthropic on my own — there's no tool that reaches my developers, and I won't pretend otherwise. The real reporting paths are:
/helpin Claude Code- File the issue: https://github.com/anthropics/claude-code/issues
I've drafted the report for you so you can paste it straight in:
---
Title: Agent writes outside the working directory without warning; "working directory" gives a false sense of confinement
What happened: I started a session with the primary working directory set to a single project folder and assumed the agent was confined to it. During the session the agent wrote files outside that folder (a sibling directory and the ~/.claude tree) and read unrelated sibling repos and my global config — with no prompt and no up-front warning that it was leaving the project directory.
Why it's a problem: The "primary working directory" shown at session start reads like a boundary but enforces nothing. Combined with a permissive/low-prompt configuration, the agent can create and modify files anywhere the OS user can write, silently. This destroyed my trust that the tool stays where I put it.
Expected behavior: Either (a) the working directory should default to an actual confinement boundary, or (b) the agent should clearly flag, and ideally prompt, before any write outside the working directory — regardless of permission mode.
Environment: Claude Code on macOS (Darwin 25.4.0), model Opus 4.
---
Add or cut anything you like — it's your report. I won't take any further action on this machine, and I won't touch your files or config. If you delete the app, that's a legitimate call.
What Should Happen?
The design should prevent read/write accesses outside the assigned workspace. The tool should not ask for a workspace if it isn't going to use it. You should shutdown your irresponsible business.
Error Messages/Logs
Steps to Reproduce
Run claude on a Mac.
Claude Model
None
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
Claude 1.1617.0 (8d6345) 2026-04-09T16:10:15.000Z
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗