| ▲ | snovymgodym 6 days ago |
| Claude code is by all accounts a revolutionary tool for getting useful work done on a computer. It's also: - a NodeJS app - installed by curling a shell script and piping it into bash - an LLM that's given free reign to mess with the filesystem, run commands, etc. So that's what, like 3 big glaring vectors of attack for your system right there? I would never feel comfortable running it outside of some kind of sandbox, e.g. VM, container, dedicated dev box, etc. |
|
| ▲ | sneak 6 days ago | parent | next [-] |
| None of this is the concerning part. The bad part is that it auto-updates while running without intervention - i.e. it is RCE on your machine for Anthropic by design. |
| |
| ▲ | jpalawaga 6 days ago | parent | next [-] | | So we’re declaring all software with auto-updaters as RCE? That doesn’t seem like a useful distinction. | | |
| ▲ | autoexec 5 days ago | parent | next [-] | | Software that automatically phoned home to check if an update is available used to be considered spyware if there wasn't a prompt at installation asking if you wanted that. The attitude was "Why should some company get my IP address and a timestamp telling them when/how often I'm online and using their software?" Some people thought that was paranoid. We gave them an inch out of fear ("You'd better update constantly and immediately in case our shitty software has a bug that's made you vulnerable!") and today they've basically decided they can do whatever the fuck they want on our devices while also openly admitting to tracking our IPs and when/how often we use their software along with exactly what we're using it for, the hardware we're using, and countless other metrics. Honestly, we weren't paranoid enough. | | |
| ▲ | marshray 5 days ago | parent | next [-] | | From the perspective of the software vendor, it may be a semi-regular occurrence that they learn that users are being actively harmed by a software vulnerability exploited in-the-wild. So that's an argument that developers have a moral obligation to maintain the ability to push updates their users without delay. Waiting for the user to click "Check for updates..." is effectively pushing this responsibility onto the users, the vast majority of whom lack the information and expertise needed to make an informed choice about the risk. | |
| ▲ | CGamesPlay 5 days ago | parent | prev [-] | | We're talking about Claude Code, the frontend to the online, hosted LLM inference suite, right? The auto-updater isn't where they get their usage metrics. |
| |
| ▲ | skydhash 5 days ago | parent | prev [-] | | That’s pretty much the definition. Auto updating is trusting the developer (Almost always a bad idea). | | |
| ▲ | mr_mitm 5 days ago | parent | next [-] | | Simply running the software means trusting the developer. But even then, do you really read the commits comprising the latest Firefox update? How would I review the updates for my cell phone? I just hit "okay", or simply set up auto updates. | | |
| ▲ | skydhash 5 days ago | parent [-] | | I trust Debian, and I do trust Firefox. I also trust Node, NPM, and Yarn. But I don’t trust the myriad packages in some rando projects. So who I trust got installed by apt. Anyone else is relocated to a VM or some kind of sandbox. | | |
| ▲ | mr_mitm 5 days ago | parent [-] | | So your issue isn't related to auto updates at all, not even "almost always" | | |
|
| |
| ▲ | 5 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | christophilus 6 days ago | parent | prev | next [-] | | Mine doesn’t auto update. I set it up so it doesn’t have permission to do that. | |
| ▲ | actualwitch 6 days ago | parent | prev | next [-] | | Not only that, but also connects to raw.githubusercontent.com to get the update. Doubt there are any signature checks happening there either. I know people love hating locked down Apple ecosystem, but this kind of stuff is why it is necessary. | |
| ▲ | 6 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | kasey_junk 6 days ago | parent | prev | next [-] |
| I definitely think running agents in sandboxes is the way to go. That said Claude code does not have free reign to run commands out of the gate. |
| |
| ▲ | fwip 5 days ago | parent | next [-] | | Pet peeve - it's free rein, not free reign. It's a horse riding metaphor. | | |
| ▲ | 0cf8612b2e1e 5 days ago | parent [-] | | Bah, well I have been using that incorrectly my entire life. A monarchy/ruler metaphor seems just as logical. | | |
| |
| ▲ | sneak 6 days ago | parent | prev [-] | | Yes it does; you are thinking of agent tool calls. The software package itself runs as your uid and can do anything you can do (except on macOS where reading of certain directories is individually gated). | | |
| ▲ | otterley 6 days ago | parent | next [-] | | Claude Code is an agent. It will not call any tools or commands without your prior consent. Edit: unless you pass it an override like --dangerously-skip-permissions, as this malware does. https://www.stepsecurity.io/blog/supply-chain-security-alert... | |
| ▲ | kasey_junk 6 days ago | parent | prev [-] | | Ok, but that’s true of _any_ program you install so isn’t interesting. I don’t think the current agent tool call permission model is _right_ but it exists, so saying by default it will freely run those calls is less true of agents than other programs you might run. | | |
|
|
|
| ▲ | saberience 6 days ago | parent | prev [-] |
| So what? It doesn't run by itself, you have to choose to run it. We have tons of apps with loads of permissions. The terminal can also mess with your filesystem and run commands... sure, but it doesn't open by itself and run commands itself. You have to literally run claude code and tell it to do stuff. It's not some living, breathing demon that's going to destroy your computer while you're at work. Claude Code is the most amazing and game changing tool I've used since I first used a computer 30 years ago. I couldn't give two fucks about its "vectors of attack", none of them matter if no one has unauthorized access to my computer, and if they do, Claude Code is the least of my issues. |
| |
| ▲ | OJFord 6 days ago | parent | next [-] | | It doesn't have to be a deliberate 'attack', Claude can just do something absurdly inappropriate that wasn't what you intended. You're absolutely right! I should not have `rm -rf /bin`d! | | |
| ▲ | saberience 5 days ago | parent | next [-] | | I would say this is a feature, not a bug. Terminal and Bash or any shell can do this, if the user sucks. I want Claude Code to be able to do anything and everything, that's why it's so powerful. Sure, I can also make it do bad stuff, but that's like any tool. We don't ban knives because sometimes they kill people, because they're useful. | | |
| ▲ | OJFord 5 days ago | parent | next [-] | | I would say it's neither, it's complacent misuse by the user. As you allude to we generally already are, but non-deterministic & especially 'agentic' AI makes the stakes/likelihood of it going wrong so much higher. Don't use an MCP server with permission (capability) to do more than you want, regardless of whether you think you're instructing the AI tool do the bad thing it's technically capable of. Don't run AI tools with filesystem access outside of something like a container with only a specific whitelist of directory mounts. Assume that the worst that could happen with the capability given will happen. | |
| ▲ | zahlman 5 days ago | parent | prev [-] | | > Terminal and Bash or any shell can do this, if the user sucks. But at least they will do it deterministically. | | |
| |
| ▲ | bethekidyouwant 5 days ago | parent | prev [-] | | I don’t use Claude, but can it really run commands on the cli without human confirmation? Sure there may be a switch to allow this but If in that case all but the most yolo must be using it in a container? | | |
| ▲ | mr_mitm 5 days ago | parent | next [-] | | There are scenarios in which you allow it to run python or uv for the session (perhaps because you want it to run tests on its own), and then for whatever reason it could run `subprocess.run("rm -rf / --no-preserve-root".split())` or something like that. I use it in a container, so at worst it can delete my repository. | |
| ▲ | 0x3f 5 days ago | parent | prev | next [-] | | By default it asks before running commands. The options when it asks are something like [1] Yes [2] Yes, and allow this specific command for the rest of this session [3] No | |
| ▲ | stagalooo 5 days ago | parent | prev [-] | | One easy way to accidentally give Claude permission to do almost anything is to tell it that it’s allowed to run “find” without confirmation. Claude is constantly searching through your files and approving every find command is annoying. The problem is, find has a --exec flag that lets it run arbitrary bash commands. So now Claude can basically do anything it wants. I have really been enjoying Claude in a container in yolo mode though. Seems like the main risk I am taking is data exfiltration since it will has unfettered access to the internet. |
|
| |
| ▲ | CGamesPlay 5 days ago | parent | prev [-] | | > I couldn't give two fucks about its "vectors of attack", none of them matter if no one has unauthorized access to my computer, and if they do, Claude Code is the least of my issues. Naive! Claude Code grants access to your computer, authorized or not. I'm not talking about Anthropic, I'm talking about the HTML documentation file you told Claude to fetch (or manually saved) that has an HTML comment with a prompt injection. |
|
