DEV Community

Claude code
Claude code

Posted on

The Hidden Risk in AI Coding Tools Is Not the Model — It Is the Tool Scope

Defining the Problem First

AI coding tool runtime security is the discipline of controlling what an AI coding agent can read, write, execute, and exfiltrate during an active session — independent of what the model itself generates. It covers the permissions granted to the tool's process, the network endpoints it can reach, the filesystem paths it can modify, and the shell commands it can invoke, all evaluated at runtime rather than at build time or policy-review time.

That definition matters because most security reviews skip it entirely. Teams scrutinize the code an AI generates. They worry about whether the model will suggest an insecure hash function or a vulnerable dependency. These are real concerns, but they are downstream concerns — the generated code still has to pass a human review or a SAST scan before it ships. The tool itself, however, is already running with live credentials in a live environment, and nobody is reviewing that in real time.

Where the Security Review Actually Goes

When organizations evaluate AI coding tools, the checklist tends to look like this: Does the vendor have SOC 2? Does the model have a content policy? Can we disable training on our inputs? These are procurement questions, not operational security questions. They tell you something about the vendor's data handling posture, but nothing about what the tool can do once it's running inside your environment.

The model is a black box with a known input/output interface. It is also the component that gets the most scrutiny — from researchers, from vendors, and from regulators. The runtime environment the tool operates in gets almost none of that scrutiny, and that asymmetry is where incidents originate.

Consider what a coding agent actually needs to do its job: read source files, write modified files, run tests, install packages, query documentation, and sometimes call external APIs. That functional scope, translated into system permissions, is enormous. File read access across a project directory often means file read access across the home directory. Shell execution for running tests often means shell execution for anything. Network access for fetching docs often means network access to your internal tooling if your VPN is up.

Tool Scope as a Privilege Escalation Surface

In traditional application security, privilege escalation is the path from limited access to excessive access — a low-privilege process finding a way to read files it shouldn't, or a web app user elevating to admin. In agentic AI systems, the escalation is structural rather than exploited: the tool is granted maximum scope by default because maximum scope is what makes it most useful.

This is not hypothetical. CVE-2025-59536, disclosed in 2025, demonstrated a prompt injection vector in Claude Code where an attacker could influence the agent's tool calls through malicious content in files the agent read during a session. The vulnerability wasn't in the model's output — it was in the combination of broad filesystem access and the agent's willingness to act on instructions embedded in that content. The attack surface existed because the tool had both read access to attacker-influenced files and execution access to act on what it read.

Prompt injection research by security teams at companies including WithSecure and NCC Group has consistently shown that when an AI coding agent has broad tool scope, a single malicious string in a comment, a README, or a dependency's changelog is enough to redirect agent behavior. The model doesn't need to be "broken" — the tool just needs to be over-privileged, which is the default state for most deployments.

The CLaude coe product overview covers how runtime scope controls differ from model-level guardrails — they operate at different layers, and model safety features do not substitute for tool permission controls.

What Least-Privilege Actually Looks Like Here

Least-privilege for a coding agent is not "read-only mode." A read-only agent that can't write files is not a coding agent. The question is more precise than that: which paths, which commands, which network destinations, and for how long?

A concrete least-privilege posture looks like this:

  • Filesystem scope pinned to the project root. The agent reads and writes within /project, not ~/. Home directory files — SSH keys, shell configs, cloud credentials — are outside scope by explicit policy, not by convention.

    • Shell execution constrained to an allowlist. Running pytest and npm test is necessary. Running curl | bash or arbitrary subprocesses is not. The allowlist is explicit, not implicit.
    • Network access restricted to known endpoints. Documentation fetches go to approved domains. Internal APIs are not reachable from the agent process unless explicitly opened. Cloud metadata endpoints (169.254.169.254 for AWS, similar for GCP and Azure) are blocked outright.
    • Credential isolation. The agent process does not inherit the developer's full credential environment. It gets a scoped token with the minimum permissions required for its task, rotated per session.
    • Session duration limits. Long-running agent sessions accumulate context about the environment. Enforcing session timeouts limits blast radius if a session is compromised mid-run.

None of these controls are exotic. They map directly to how you'd constrain a CI/CD job or a containerized build process. The gap is that most teams apply these controls to their pipelines but not to their developer tooling, because developer tooling runs on developer machines and has historically been treated as outside the security perimeter.

That perimeter assumption hasn't been valid for years. With AI coding agents running persistent sessions, making autonomous file modifications, and calling external APIs, developer machines are not outside the perimeter — they are the perimeter.

The Governance Gap Nobody Is Closing

AppSec teams own application vulnerabilities — SAST, DAST, dependency scanning, code review. They are not typically responsible for what happens during local development. Their visibility starts when code enters version control, at the earliest.

LLM vendors own model safety — content policies, harmful output filtering, abuse monitoring. They publish responsible use guidelines and, in some cases, provide permission frameworks for their tools. Claude Code's permission model, for instance, documents three tiers of operation with different levels of autonomy. But documentation of a permission model is not enforcement of a permission model. Vendors cannot enforce how their tools are deployed.

This creates a governance gap with two sides that don't quite meet. AppSec doesn't see pre-commit agent activity. Vendors don't control post-deployment configuration. The organization deploying the tool is responsible for closing the gap, but most organizations haven't built the process to do it. Security policy for AI coding tools is often either absent or expressed as a general prohibition ("don't use AI tools on proprietary code") that developers route around because the tools are genuinely useful.

At CLaude coe, we built runtime scope enforcement specifically for this gap — the space between what the vendor documents and what the security team enforces. The controls are applied at the tool invocation layer, before the model runs, so they operate regardless of what the model generates or how the user prompts it. You can review the technical approach in the CLaude coe documentation.

The practical governance steps that don't require new tooling are also worth stating plainly. Establish a written policy that defines acceptable tool scope — specific paths, specific commands, network rules. Require that policy to be implemented in tool configuration, not just stated in a document. Include AI coding tool activity in your threat model. Review the default permission settings in any tool you deploy, because defaults are almost never set with your security requirements in mind.

The model is not your primary attack surface. The tool scope is. Start treating it that way.

Frequently Asked Questions

What is AI coding tool runtime security?

AI coding tool runtime security refers to the controls applied to an AI coding agent's active permissions during a live session — what files it can read or write, what shell commands it can execute, what network endpoints it can reach, and how long it can maintain that access. These controls operate independently of the model's content safety features and are enforced at the tool and process layer.

How does tool scope differ from model safety?

Model safety addresses what an AI generates — preventing harmful outputs, refusing dangerous instructions, filtering offensive content. Tool scope governs what the agent can do as a running process: modify files, invoke subprocesses, exfiltrate data. A model with excellent safety properties running in a maximally permissive tool environment is still a significant operational risk. The two layers address different threat vectors and neither substitutes for the other.

Is prompt injection a bigger risk than insecure generated code?

They are different threat vectors that require different mitigations, but prompt injection in an agentic context carries acute severity that static code review cannot address. A prompt injection attack exploiting CVE-2025-59536 or a similar vector can redirect agent behavior in real time — reading credentials, exfiltrating files, executing arbitrary commands — before any code review occurs. Insecure generated code is a quality problem caught in review; prompt injection is a runtime compromise. For teams with broad tool scope deployed in credentialed environments, prompt injection deserves the higher operational priority.

What permissions does Claude Code have by default?

By default, Claude Code runs with the filesystem permissions of the invoking user process, meaning it can read and write anything that user can access — including home directory files, SSH keys, and cloud credential caches. Shell execution is available for running build and test commands. Network access is unrestricted to external endpoints. The tool's three-tier permission model (manual approval, auto-approve, fully autonomous) controls how much the tool asks before acting, but does not restrict the underlying process permissions. Scope restriction requires explicit configuration beyond the default install.

What does a mature runtime security posture for AI coding tools actually look like?

A mature posture has four components: enforced filesystem scope (the agent process is confined to the project directory with explicit denials on home directory paths and credential stores); shell command allowlisting (specific test and build commands are permitted, arbitrary subprocess invocation is not); network egress controls (external requests go through an allowlist, internal metadata endpoints and private network ranges are blocked); and credential isolation (the agent runs with a scoped, short-lived token rather than inheriting the developer's full credential environment). These controls should be enforced at configuration or infrastructure level, not left to developer discretion. For teams exploring how to implement these, the CLaude coe blog covers specific implementation patterns for each control layer.

Top comments (0)