IMPORTED / SAFETY

IS CLAUDE CODE SAFE? SECURITY ANALYSIS | VIBEEVAL

Is Claude Code safe? The short answer

Yes, Claude Code is safe — and like every other agent, it is exactly as safe as how you scope it. The CLI runs locally, you can see every tool call before it executes, and Anthropic enforces strong infrastructure security on the API side. The trust boundary moves out of the binary and into the things you configure: CLAUDE.md, MCP servers, slash commands, skills, and the permissions allowlist for the session.

What’s safe by default

  • Terminal-first execution. You see every command Claude Code wants to run. Default settings prompt for permission per tool call.
  • Anthropic enterprise security. SOC 2 Type II on the API; standard data-handling controls on enterprise plans.
  • No automatic deployment. Claude Code does not push, deploy, or publish on its own — it does what you (or your settings) authorize.
  • Local code, local file system. Source files stay on your machine; only the context the model needs is sent to the API.

Where the risk lives

1. CLAUDE.md is part of the prompt

Anything in CLAUDE.md (project-level or ~/.claude/CLAUDE.md global) is read into the model’s context every session. That makes it powerful and dangerous. Developers paste API keys, internal URLs, or “just testing” credentials into CLAUDE.md and forget. The keys then sit in the file, in your git history, and in every model transcript thereafter.

Fix. Treat CLAUDE.md as a public document. No real keys. Use <YOUR_KEY> placeholders. Add CLAUDE.md to the repo audit list and run git log -p -- CLAUDE.md periodically for committed secrets.

2. MCP servers run with full user permissions

When you add an MCP server to ~/.claude/mcp.json (or your project-level config), it runs as the user that launched Claude Code. It gets full filesystem and network access. A malicious or misconfigured MCP server can read every file you can read, hit every URL you can hit, and run any command you can run.

Fix. Keep the MCP server list minimal. Audit before installing. Prefer scoped credentials in the MCP config:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_TOKEN": "${env:GH_READONLY_TOKEN}" }
    }
  }
}

3. --dangerously-skip-permissions removes the human gate

This flag (or its YOLO-mode equivalent) tells Claude Code to run every tool call without prompting. It is fast and it is the single biggest reason production codebases get unintended commits. Use it only in throwaway containers or scratch directories.

Fix. Default to per-call approval. If a workflow truly needs auto-execute, run it inside a Docker container with a read-only mount on anything you care about, and an isolated shell environment.

4. Skills and slash commands inherit full agent trust

Skills (.claude/skills/...) and project-level slash commands extend the agent’s behavior. They can edit files, shell out, hit the network, and call other tools. A skill copied from a Gist or a community repo is code execution under your account.

Fix. Read the skill’s source before installing. Prefer first-party Anthropic skills, or skills vendored from a source you maintain. Audit .claude/ for new entries the same way you audit ~/.cursor/.

5. Generated code ships with predictable vulnerabilities

Claude Code’s strong instruction-following helps, but the underlying generation patterns still produce the same family of bugs every AI coder produces: hardcoded keys when the agent sees example credentials nearby, missing input validation on form handlers, over-permissive CORS to silence dev errors, BOLA on CRUD endpoints that filter by ID without checking ownership, and verbose error handlers leaking stack traces.

Fix. Treat AI-authored commits like contractor commits — PR review, SAST in CI, dynamic scan against the deployed app. The Constitutional AI training reduces some failure modes; it does not eliminate them.

A starter Claude Code config that defaults to safe-ish behavior:

{
  "permissions": {
    "allow": [
      "Read",
      "Grep",
      "Bash(git status:*)",
      "Bash(git diff:*)",
      "Bash(git log:*)",
      "Bash(npm test:*)"
    ],
    "deny": [
      "Bash(rm -rf:*)",
      "Bash(curl:*)",
      "Bash(wget:*)",
      "Bash(git push:*)"
    ]
  }
}

Add commands to the allowlist as you need them, not before. The deny list is where you hard-block known-dangerous shapes regardless of what the model decides.

Enterprise considerations

For teams adopting Claude Code at scale:

  • SSO and seat management via Anthropic’s enterprise tier.
  • Data processing agreements and zero-data-retention options for regulated workloads.
  • Centralized CLAUDE.md and skill distribution — ship a vetted base config to every developer, audit deviations.
  • Audit logging — record which sessions touched which repositories and when.
  • MCP allowlist policy — written guidance on which servers are approved, who can add new ones, and how additions are reviewed.

The SOC 2 covers Anthropic’s systems. It does not cover the security of code your developers write with the agent’s help, the MCP servers your team installs, or the skills you vendor in. Be precise about which side of that boundary your audit lives on.

Claude Code vs Cursor vs Devin — when to pick which

  • Claude Code. Local-first, terminal-native, transparent per-tool-call approval. Strongest for developers who want to read every action before it runs.
  • Cursor / Windsurf. GUI IDE with multi-file edit. Strongest for visual diff review and IDE-integrated workflows.
  • Devin. Cloud-hosted autonomous agent. Strongest for genuine fire-and-forget tasks where you want to grade a PR rather than supervise a session.

Pick the tool whose default trust posture matches the work. Lock down the riskiest features in any case.

After every Claude Code session

  • git diff the whole branch, not just the file you focused on. The agent edits adjacent files when it thinks they are related.
  • Search the diff for new eval(, exec(, os.system(, dangerouslySetInnerHTML, cors(), string-concatenated SQL, and any deletion of requireAuth, csrf, verifyJwt.
  • Audit package.json / requirements.txt / go.mod for new dependencies.
  • Check .claude/ and CLAUDE.md for new entries.
  • Run the security tests separately. The agent occasionally “fixes” failing security tests by relaxing the assertion.

The verdict

Claude Code is safe to use. The terminal-first design and per-call approval default give it one of the more transparent trust models in the agent space. The risk shifts to configuration: CLAUDE.md hygiene, MCP server scope, skill provenance, and not granting more permissions than the session needs. Lock those down and it is production-appropriate for any team that already has decent code-review and CI hygiene.

Scan your application

Let VibeEval scan your deployed application for the vulnerabilities Claude Code (and every other AI coder) most often leaves in.

/ FAQ

COMMON QUESTIONS

01
Is Claude Code safe to use?
Yes. Claude Code runs in your terminal, you see every command before it executes, and Anthropic enforces enterprise-grade infrastructure security on the API. The risks are not in Claude Code itself — they are in your CLAUDE.md, the MCP servers you install, the slash commands and skills you load, and how aggressively you grant tool permissions for a session.
Q&A
02
What does --dangerously-skip-permissions actually do?
It tells Claude Code not to prompt for permission on shell commands or file edits — the agent runs every tool call without confirmation. It is faster but it removes the only synchronous human gate between the model and your filesystem. Use only in throwaway sandboxes or containers.
Q&A
03
Are MCP servers in Claude Code safer than in Cursor?
The trust model is the same: an MCP server runs as the user that launched the agent and inherits full filesystem and network access. The only material difference is which configuration files hold the manifest. Audit MCP servers in Claude Code with the same scrutiny you would apply elsewhere.
Q&A
04
Does Claude Code send my code to Anthropic?
Yes — code context is sent to Anthropic's API to generate completions and tool calls. Anthropic's enterprise policies cover data handling and retention. For sensitive codebases, review the data processing agreement and consider a project-level CLAUDE.md that lists files the agent must not read.
Q&A
05
What is the riskiest Claude Code feature for security?
The combination of an autonomous loop with a broad permissions allowlist. A single prompt can result in dozens of file edits, package installs, and git commits before you intervene. Always work in a feature branch with branch protection on main, and audit the resulting diff before push.
Q&A
06
Are slash commands and skills safe to install?
They run with the same trust as any other Claude Code action — they can read files, run shells, hit network endpoints. Read the source of any community skill or slash command before installing. Prefer skills you wrote or vendored from a source you control.
Q&A
07
Can Claude Code commit and push without me noticing?
Yes if you have allowed git and ssh tools without per-call approval. Disable auto-commit by default, require approval for any command containing 'git commit', 'git push', 'rm -rf', 'curl', and 'wget', and protect main with a required PR review.
Q&A
/ NEXT STEP

SCAN YOUR APP

14-day trial. No card. Results in under 60 seconds.

START FREE SCAN