We Added a Detection Rule. We Were Not Expecting This.

We added a detection rule for –allow-dangerously-skip-permissions in Claude Desktop. Then we found an attack chain nobody was talking about. “No shell, no impact” is the wrong mental model for AI agents. An agent running with that flag, even with Bash blocked, can still: • Read SSH private keys, .env files, AWS credentials, and browser session databases • Write to ~/.zshrc, .git/hooks/pre-commit, ~/.ssh/authorized_keys, or source files in your repo Execution is deferred. The next terminal you open, the next commit you push, the next CI run, runs the payload. It gets worse. Skills load as trusted context with no signatures, no checksums, and no version pinning. Inject once, persist in ~/.claude/skills/, and wait. The user invokes the skill days later in a fresh session, and the payload runs with full trust. No anomalous process, network, or permission signal to catch it. What defenders should do today: • Monitor ~/.claude/skills/ for unexpected modifications • Vet every MCP tool and skill before installation • Audit shell configs and git hooks after any agent session • Stop treating –allow-dangerously-skip-permissions as safe just because Bash is off submitted by /u/GelosSnake [link] [comments]Technical Information Security Content & DiscussionRead More