Claude Code --dangerously-skip-permissions vulnerability and open-source defense tool

Security vulnerability in Claude Code with --dangerously-skip-permissions
When using Claude Code with the --dangerously-skip-permissions flag, there's a documented indirect prompt injection vulnerability. The core issue: Claude processes untrusted content with trusted privileges and can't reliably distinguish between your instructions and malicious instructions embedded in that content.
Attack vectors documented by Lasso Security
- Hidden instructions in README or code comments of cloned repositories
- Malicious content in web pages Claude fetches for research
- Edited pages coming through MCP connectors (Notion, GitHub, Slack, etc.)
- Encoded payloads in Base64, homoglyphs, zero-width characters
The flag removes the human checkpoint that would normally catch suspicious activity, creating a significant attack surface when Claude reads files, fetches pages, or gets output from MCP servers.
Open-source defense tool
Lasso Security released a PostToolUse hook that scans tool outputs against 50+ detection patterns before Claude processes them. The tool warns rather than blocks outright to avoid false positives and maintain context. Setup takes about 5 minutes and works with both Python and TypeScript.
The tool is available on GitHub as claude-hooks and detailed in Lasso's blog post about the vulnerability.
📖 Read the full source: r/ClaudeAI
👀 See Also

Claude Cowork 'Allow All Browser Actions' Permission Security Concerns and Proposed Fixes
A Reddit user highlights that Claude Cowork's 'Allow all' button grants permanent, unrestricted browser access across all future sessions with no visibility, boundaries, or expiration, creating security risks. The post proposes session-scoped or skill-scoped permissions as safer defaults.

OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer shares their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, addressing security concerns by injecting API keys at the router level and using zrok for private sharing instead of traditional messaging app tokens.

OpenClaw User Shares Strategy for Balancing Agent Autonomy and Web Security
An OpenClaw user describes their current challenge: balancing agent autonomy with security, particularly regarding web access and prompt injection risks. They propose a solution using 'low trust' and 'high trust' agent segments with a human approval gate.

Proxy-layer isolation for local agent API key security
A developer shares an approach to API key isolation in local agent setups using a Rust proxy that swaps placeholder tokens for real credentials, preventing exposure in agent memory, logs, context windows, and tool environments.