Claude Code --dangerously-skip-permissions vulnerability and open-source defense tool

Security vulnerability in Claude Code with --dangerously-skip-permissions

When using Claude Code with the --dangerously-skip-permissions flag, there's a documented indirect prompt injection vulnerability. The core issue: Claude processes untrusted content with trusted privileges and can't reliably distinguish between your instructions and malicious instructions embedded in that content.

Attack vectors documented by Lasso Security

• Hidden instructions in README or code comments of cloned repositories
• Malicious content in web pages Claude fetches for research
• Edited pages coming through MCP connectors (Notion, GitHub, Slack, etc.)
• Encoded payloads in Base64, homoglyphs, zero-width characters

The flag removes the human checkpoint that would normally catch suspicious activity, creating a significant attack surface when Claude reads files, fetches pages, or gets output from MCP servers.

Open-source defense tool

Lasso Security released a PostToolUse hook that scans tool outputs against 50+ detection patterns before Claude processes them. The tool warns rather than blocks outright to avoid false positives and maintain context. Setup takes about 5 minutes and works with both Python and TypeScript.

The tool is available on GitHub as claude-hooks and detailed in Lasso's blog post about the vulnerability.