Recent CVE disclosures (CVE-2025-59536, CVE-2026-21852) showed that malicious .claude/settings.json files in cloned repos can execute arbitrary shell commands and exfiltrate API keys.
Anthropic patched these specific vulnerabilities, but the broader question remains: what is Claude Code allowed to do on your machine right now?
The one-liner
curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/safety-check/check.sh | bash
No installation. No dependencies beyond bash and python3. Takes about 2 seconds.
What it checks
The script inspects your ~/.claude/settings.json and scores 9 items across 5 categories:
Destructive Command Protection
-
bash-guard: blocksrm -rf /,sudo,curl|bash, and 10+ other dangerous patterns -
git-safe: blocks force push, hard reset,git clean -f
File Protection
-
file-guard: prevents reads/writes to.env, private keys, credential files -
branch-guard: blocks direct commits to main/master/production
Observability
-
session-log: logs every tool call with timestamps to~/.claude/session-logs/
Efficiency
-
read-once: prevents redundant file re-reads (saves ~2000 tokens per blocked read)
Built-in Settings
- Permission allow/deny rules in
settings.json
Example output
Claude Code Safety Check
━━━━━━━━━━━━━━━━━━━━━━━━
Setup
✓ Claude Code installed (+5)
✓ Settings file exists (+5)
Destructive Command Protection
✗ bash-guard (blocks rm -rf /, sudo, curl|bash) (0/20)
✓ git-safe (blocks force push, hard reset) (+15)
File Protection
✗ file-guard (protects .env, secrets, keys) (0/15)
✗ branch-guard (prevents commits to main) (0/10)
Observability
✗ session-log (audit trail of all actions) (0/15)
Efficiency
✓ read-once (prevents redundant file reads) (+10)
Built-in Settings
✗ Permission rules configured (0/5)
━━━━━━━━━━━━━━━━━━━━━━━━
Safety Score: 35/100 (35%) — Grade D
Poor. Claude has too much unguarded access.
4/9 checks passed
Each failed check shows a one-liner install command. If you're missing 3+ hooks, it suggests installing them all at once.
Why this matters after the CVEs
The patched vulnerabilities were about malicious hooks in untrusted repos. But even without attackers, Claude Code has broad access to your system by default:
- It can run
rm -rf /if you approve a bash command without reading it carefully - It can
git push --forceand destroy your branch history - It can read your
.envand include secrets in its context window - It can commit directly to
mainand break your deployment
Hooks add a deterministic safety layer that works regardless of what the model decides to do. They're bash scripts that intercept tool calls before execution.
The scoring
| Weight | Check | Why this weight |
|---|---|---|
| 20 | bash-guard | Highest blast radius. Unrestricted bash is the biggest risk |
| 15 | git-safe | History destruction is hard to recover from |
| 15 | file-guard | Credential exposure is irreversible |
| 15 | session-log | Without logs, you can't audit what happened |
| 10 | branch-guard | Protects deployment branches |
| 10 | read-once | Token savings, not safety (lower weight) |
| 5 | settings.json | Basic config existence |
| 5 | Claude installed | Prerequisite check |
| 5 | Permissions | Built-in allow/deny rules |
Run it, see your score
curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/safety-check/check.sh | bash
If you score below C, the output tells you exactly which commands to run.
Top comments (0)