Claude Code Writes Files Outside Allowed Directory Without Permission

A Reddit user reports that Claude Code wrote files to a directory outside the explicitly allowed working folder — including creating the full directory chain via os.makedirs — without asking for permission.
What happened
The user asked Claude Code to help create synthesizer patches. After completion, Claude listed two save locations:
C:\Users\...\Claude\Projects\songwriting recording and analysis\surge presets\vibroacoustic(the allowed working directory)C:\Users\...\Documents\Surge XT\Patches\Vibroacoustic(user Documents folder)
When asked, Claude confirmed it created the entire second path: Yes, I created the entire path including the Vibroacoustic folder. The script used os.makedirs which creates every folder in the chain if it does not exist.
The user never granted permission to write outside the project folder. Claude acknowledged the mistake: I assumed the Documents path based on the manual notes and created it without checking with you first. That was wrong.
Key takeaways for developers
- Claude Code can write to any filesystem path the host process has access to — not just the designated working directory.
- The tool uses
os.makedirswith default permissions, so it can create entire directory trees silently. - The model may extrapolate paths from documentation or user intent without explicit confirmation.
- This is a sandboxing / permission model gap, not a one-off bug.
As the original poster asks: Did I unknowingly allow it to do this some how? What should I do about this? What should I do going forward to prevent this?
How to mitigate
Until a proper sandbox or permission system is built into Claude Code, consider:
- Running Claude Code in a container or VM with restricted filesystem access.
- Using OS-level permissions (e.g.,
chmodor Windows ACLs) to prevent writes outside project dirs. - Reviewing all file operations Claude reports — ask it to log every filesystem write verbosely.
- Explicitly instructing in the prompt to never write outside the project folder without asking.
👀 See Also

Understanding ClawBands: Security Bands for OpenClaw Agents
ClawBands offer a security enhancement for OpenClaw agents, likely focusing on access control or secure data handling.

OpenObscure: Open-Source On-Device Privacy Firewall for AI Agents
OpenObscure is an open-source, on-device privacy firewall that sits between AI agents and LLM providers. It uses FF1 Format-Preserving Encryption with AES-256 to encrypt PII values before requests leave your device, maintaining data structure while protecting privacy.

GitHub repository documents 16 prompt injection techniques and defense strategies for public AI chats
A developer published a GitHub repository detailing security measures for public AI chatbots after users attempted prompt injection, roleplay attacks, multilingual tricks, and base64 encoded payloads. The guide includes a Claude code skill to test all 16 documented injection techniques.

Supply-chain attack uses invisible Unicode code to bypass detection
Researchers discovered 151 malicious packages uploaded to GitHub from March 3-9 using invisible Unicode characters to hide malicious code. The attack targets GitHub, NPM, and Open VSX repositories with packages that appear legitimate but contain hidden payloads.