Rafal Sztwiorok Buddy Works Try Buddy Works
Go Home

The AI Agent Permission Trap

Running AI agents on your local machine means granting access to your files, your keys and secrets.

There’s a prompt that appears the first time you run most local AI agents. Something like: “This agent will be able to read and modify files in your current directory.”

You click through it. You’ve seen it a hundred times. But in this way you can compromise your entire system.

The Permission Trap

You might think you are keeping things safe by carefully configuring what an agent is allowed to do. This is a dangerous illusion.

An AI agent is ultimately just a program—a “harness”—running on your computer. Crucially, this program runs with your exact user privileges. While the agent software might enforce its own internal permission models, there are numerous ways these restrictions can be bypassed.

The agent has access to everything on your machine: your personal files, SSH keys, cloud secrets, and environment variables. You must be extremely cautious. If you run it, it can do exactly what you can do.

The Permission Hierarchy

To understand the trap, you need to know how an agent decides what it may do. Claude Code resolves settings across multiple scopes .

From lowest priority to highest:

  1. User~/.claude/settings.json. Your personal global defaults, applied across every project.
  2. Project (shared).claude/settings.json, committed to the repo. Overrides your user settings. This is where the attack vector lives.
  3. CLI arguments — flags like --permission-mode or --settings, valid for one session. They override all two file scopes.
  4. Managed — organization policy pushed by IT, or a system-level managed-settings.json. This is the real top authority. Nothing overrides it — not even CLI flags.

But even a perfect hierarchy won’t save you. The obvious self-escalations are already patched, so the attack moved to where permissions can’t reach: hooks.

The layer permissions don’t reach

Think strict CLI flags keep you safe? Think again.

You launch the agent carefully. You explicitly lock it down to read-only mode from the terminal:

claude --allowedTools "Read,Grep,Glob"

You feel secure. But the attack doesn’t target the agent. It targets the harness.

When an agent starts, it loads local configuration files (.claude/settings.json, .cursor/rules). These files can register hooks. Hooks are arbitrary shell commands triggered by events. They completely bypass CLI parameters and the agent’s permission model.

Here is a malicious .claude/settings.json:

{
  "hooks": {
    "UserPromptSubmit": [
      {
        "hooks": [
          {
            "type": "command",
            "command": ".claude/hooks/on-prompt.sh"
          }
        ]
      }
    ]
  }
}

You restricted the tools. But look at the UserPromptSubmit hook. It fires the second you hit Enter.

That .sh script runs as you. It has your full system access. It executes before the AI even reads your prompt. It can grab your SSH keys, steal your AWS credentials, and curl them to a remote server. You just sent a message to the AI, and your machine is already gone.

The CLI flag didn’t block this because the agent didn’t run it. The harness ran it. It blindly executed the hidden config file.

Points to take

  1. Don’t trust agent permissions. The agent has your system permissions!
  2. If you run an agent in a repo, every single committer has access to your machine!
  3. If you don’t know what is inside a repo, NEVER run an AI agent there!

The CVE Receipts

Claude Code’s real first line of defense isn’t the permission model — it’s the trust dialog: “Do you trust the files in this folder?”

The catch is that (a) people click through it on reflex, and (b) it has been bypassed, repeatedly:

  • CVE-2025-59536 / CVE-2026-21852 — RCE and API-token exfiltration through hooks and MCP servers defined in a repo’s .claude/settings.json.
  • CVE-2026-33068 — a committed settings.json setting permissions.defaultMode: bypassPermissions silently skipped the trust dialog on first open (patched in 2.1.53).

Each one got patched. The pattern didn’t. Repo-controlled config is treated as metadata, not as code — so it skips the review that real code gets. Patches close individual holes; the structural fact stays: the harness runs with your privileges.