Analyzed: March 31, 2026 leak snapshot
This page documents security-relevant behavior visible in source. It is not a formal audit and not a replacement for Anthropic’s official security posture.
Main trust boundaries
The snapshot exposes several major trust boundaries:
- local filesystem access
- shell execution
- MCP servers
- plugins and skills
- remote bridge sessions
- settings and managed policy files
- provider credentials and OAuth tokens
These are the parts of the system where the codebase spends most of its security complexity.
Design strengths visible in source
- tool access is permission-mediated rather than unconditional
- deny rules can remove tools before the model sees them
- dangerous auto-mode shell rules are explicitly detected
- plugin loading validates sources and paths
- session storage separates ephemeral progress from durable transcript history
- provider clients keep provider-specific auth paths isolated
Persistent risk areas
- shell execution remains inherently high risk
- plugins and MCP can import external execution surfaces
- broad permission allowlists can erase safety boundaries
- bridge mode expands the attack surface with remote execution and token handling
Operational advice grounded in source
- use managed settings for policy where possible
- keep shell approvals narrow and prefix-scoped
- treat MCP servers as trusted-code boundaries
- avoid blanket delegation approvals in auto mode
- review plugin and marketplace sources before enabling them