By NHI Mgmt Group Editorial TeamPublished 2025-09-18Domain: Agentic AI & NHIsSource: Backslash Security

TL;DR: Claude Code can read files, run commands, install dependencies, and connect to APIs with the developer’s permissions, which means a poisoned prompt or unsafe setting can enable secrets leakage, destructive commands, or persistence, according to Backslash Security. Access review thinking is not enough when the tool can act inside the terminal with broad runtime freedom.


At a glance

What this is: This is a Backslash Security analysis of Claude Code security best practices, focused on the identity and permission risks of an agentic coding assistant running inside a developer terminal.

Why it matters: It matters because teams must govern AI tools like privileged runtime actors, which changes how IAM, secrets protection, sandboxing, and approval boundaries should work across NHI, autonomous, and human workflows.

👉 Read Backslash Security's Claude Code security best practices guide


Context

Claude Code security is not just about code quality or developer productivity. Once an AI assistant can read files, run commands, install dependencies, and connect to APIs, the terminal becomes an identity and control boundary rather than a simple editing surface. That shifts the problem into NHI governance, permission design, and secrets exposure.

Backslash Security frames the risk around misconfiguration, unsafe approval flows, and overly broad MCP or hook access. The core issue for IAM teams is that an AI coding assistant can inherit real operating privileges while still behaving like an externally prompted actor, which breaks the assumptions behind simple trust-by-user-session models.


Key questions

Q: How should security teams govern AI coding assistants that can run commands and read files?

A: Treat the assistant as a governed non-human identity with scoped permissions, not as a harmless editor feature. Limit command execution, restrict filesystem reach, disable unnecessary hooks, and require explicit approval for risky actions. The control objective is to reduce the assistant’s reachable action space before a prompt or dependency can abuse it.

Q: Why do AI coding tools increase secrets exposure risk in developer environments?

A: They operate inside the same trust zone as source code, local configs, and terminal sessions, so any readable credential becomes immediately accessible to the assistant. If transcript retention, filesystem scope, or secrets boundaries are weak, the tool can surface or leak sensitive material faster than a human reviewer would notice.

Q: What breaks when MCP servers are enabled too broadly in an AI coding environment?

A: Broad MCP access collapses tool governance because the assistant can reach services, data, and actions that were never intended for every session. That creates persistence risk, hidden integration risk, and an easy path from normal developer prompts to unsafe side effects. The result is uncontrolled capability expansion.

Q: Who should approve changes to managed settings for an agentic coding assistant?

A: The same teams that govern privileged infrastructure should own those changes, because managed settings define the assistant’s operational boundary. Security, IAM, and platform owners should review changes that expand tool access, filesystem visibility, or hook execution. If the settings drift, the identity boundary has drifted with them.


Technical breakdown

Claude Code permissions and command execution boundaries

Claude Code behaves like a software actor operating within the developer’s permissions, which means its effective authority is determined by terminal access, filesystem visibility, and command execution rights. If allow, ask, and deny controls are too loose, the assistant can be steered into unsafe actions such as fetching secrets, modifying configs, or invoking shell commands that alter the environment. The risk is not the model alone. It is the combination of natural language prompting and real operating privileges.

Practical implication: treat command execution policy as a security control, not a convenience setting.

MCP servers, hooks, and persistence risk in AI coding environments

Model Context Protocol servers and hooks extend an assistant’s reach into tools, data, and workflows. In a coding environment, that power becomes dangerous when servers are auto-enabled, hooks are left active, or the assistant is allowed to reconnect to the same unsafe integrations after restart. This creates a persistence pattern where untrusted capabilities survive beyond a single session and can reintroduce risk every time the environment is opened.

Practical implication: tightly whitelist MCP servers and disable hooks that can create repeated unauthorised behaviour.

Secrets exposure through codebase access and weak containment

An AI coding assistant that can inspect project files can also reach credentials stored in .env files, config files, or adjacent directories if boundaries are weak. The threat is amplified when the environment lacks filesystem restrictions, transcript retention controls, or sandboxing. In practice, the assistant becomes a high-speed reader of everything the developer can see, including data that should never be available to an inference layer or external tool chain.

Practical implication: combine filesystem restrictions, sandboxing, and secrets management so the assistant never sees plaintext credentials.


Threat narrative

Attacker objective: The attacker aims to turn a trusted coding assistant into a conduit for secrets theft, code tampering, or persistence inside the development environment.

  1. Entry occurs when a developer or project configuration gives the coding assistant broad terminal, filesystem, or MCP access inside the workstation or container.
  2. Escalation follows when unsafe prompts, auto-approved actions, or permissive hooks turn that access into command execution, file reads, dependency changes, or outbound connections.
  3. Impact occurs when secrets are copied out, malicious code is introduced, persistence is established, or the repository and local environment are altered at scale.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Claude Code security is really an NHI governance problem disguised as a developer ergonomics problem. Once an assistant can inspect files, run commands, and invoke tools, it is no longer just a user interface. It becomes a non-human identity with operational reach that must be scoped, monitored, and contained like any other privileged workload. Practitioners should stop treating coding assistants as harmless productivity layers and start treating them as governed runtime actors.

Default trust collapses when an AI assistant inherits the developer’s authority but operates at machine speed. The familiar assumption that a human can notice, interrupt, or reverse risky behaviour does not hold when the assistant can chain commands, touch secrets, and modify configuration in one session. That is why permission design, sandboxing, and tool whitelisting matter here more than user training alone. Practitioners need to re-evaluate where human approval actually exists in the control loop.

Managed settings are the new policy boundary for agentic coding tools. The article makes clear that security lives in configuration files, hook behaviour, and explicit tool allowlists, not in the model name itself. That means governance has to follow the control surface, not the brand. Practitioners should define who can change those settings, how drift is reviewed, and what constitutes unauthorised expansion of assistant capability.

Secrets exposure risk is amplified because code assistants operate inside the same trust zone as source, dependencies, and local credentials. When the assistant can read project files or run shell commands, credential sprawl and local developer hygiene become direct security inputs. The practical lesson is that secrets management, filesystem restriction, and developer workstation hardening are now part of AI tool governance, not separate disciplines.

Runtime freedom is the named risk here: an AI coder with broad permission becomes an identity blast radius problem. The assistant is useful precisely because it can act across many systems, but that breadth is what turns one unsafe prompt into repository tampering, credential leakage, or persistent compromise. Practitioners should measure the size of the reachable action space before they measure the model’s output quality.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian and CyberArk.
  • For adjacent analysis, Analysis of Claude Code Security shows how agentic coding tools change the trust boundary inside developer workflows.

What this signals

Runtime freedom is the new blast-radius variable: when an assistant can execute commands, inspect source, and touch local secrets, the governance question is no longer whether the model is accurate. It is whether the reachable action set is narrow enough to survive a single bad prompt or unsafe dependency.

With 6 distinct secrets manager instances on average in the broader secrets landscape, fragmentation already weakens centralised control. That fragmentation becomes more dangerous when an AI coding assistant can move across files, tools, and configs inside the same workflow.

Teams should align this topic with OWASP Top 10 for Agentic Applications 2026 and NIST AI Risk Management Framework, then map the assistant’s tool access to those governance expectations. The practical signal is simple: if you cannot explain the assistant’s permitted actions in one sentence, the programme is already behind.


For practitioners

  • Constrain command execution by default Set allow, ask, and deny rules so the assistant can only run commands that are explicitly safe for the current project. Block risky shell patterns, outbound fetches, and any read path that can expose credentials or production data.
  • Whitelabel MCP servers and disable unnecessary hooks Approve only the servers and hook paths you have reviewed, then remove any integration that can create persistence or hidden side effects after restart. Treat auto-enabled tool access as a change-management event.
  • Sandbox the assistant in a constrained environment Run the tool inside a VM, container, or similarly isolated workspace with filesystem restrictions and no root privileges. Keep access to ~/.ssh, secrets directories, and other sensitive paths out of scope.
  • Shorten transcript retention and review settings drift Keep transcript retention low, then review managed settings on a fixed cadence to catch capability creep. If the configuration file has changed, treat that as a governance event rather than a routine developer preference.
  • Separate secrets from the development workspace Use proper secrets management instead of plaintext .env files or broadly readable config files. The assistant should not be able to discover credentials simply because they exist in the same project tree.

Key takeaways

  • Claude Code security is an identity and permission problem, not just a developer workflow problem.
  • Broad terminal access, hooks, and MCP servers can turn a helpful assistant into a path for secrets theft, code tampering, or persistence.
  • Sandboxing, explicit allowlists, and tight secrets boundaries are the controls that reduce the assistant’s reachable blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10NHI-01Covers tool misuse and unsafe autonomy in agentic coding assistants.
OWASP Non-Human Identity Top 10NHI-03Applies to secrets exposure, rotation, and leakage in developer environments.
NIST Zero Trust (SP 800-207)PR.AC-4Zero Trust access boundaries fit the terminal, filesystem, and tool chain controls discussed here.

Inventory and protect all credentials the assistant can reach, then remove plaintext secret storage.


Key terms

  • Agentic Coding Assistant: A software assistant that can plan and carry out coding-related actions inside a developer environment. In practice, the security question is not whether it writes code well, but what it can read, execute, and change while using the developer’s permissions.
  • Managed Settings: A persistent configuration layer that defines what an AI coding tool may do, what it must ask about, and what it cannot touch. For identity teams, this becomes the policy boundary that governs command execution, tool use, and exposure to sensitive paths.
  • MCP Server: A tool connector that extends an AI system to external data sources, commands, or services. In security terms, an MCP server widens the assistant’s effective privilege boundary, so every enabled server becomes part of the identity and access control decision.
  • Secrets Management: The discipline of storing, rotating, and limiting access to credentials such as API keys, tokens, certificates, and SSH keys. In an AI-assisted development workflow, the key issue is preventing those secrets from becoming readable by tools that do not need them.

What's in the full article

Backslash Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Exact managed-settings.json examples for controlling hooks, transcript retention, and command permissions
  • Step-by-step examples of allow, ask, and deny rules for safer Claude Code operation
  • Practical advice for sandboxing the assistant in Docker, Podman, or a VM
  • Vendor-referenced configuration guidance for blocking risky MCP servers and sensitive filesystem paths

👉 The full Backslash Security post covers managed settings, MCP server controls, and sandboxing examples.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org