vibe-coding security claude-code vulnerability ai-agents

Claude Code's Deny Rules Break After 50 Commands — And Anthropic Knew

Here’s a fun thought experiment: imagine you install a deadbolt on your front door, but the lock manufacturer quietly removes the bolt mechanism whenever more than 50 people walk past your house. You’d never know it was unlocked. Nobody told you. The lock just… stops locking.

That’s essentially what researchers at Adversa AI discovered in Claude Code — Anthropic’s flagship AI coding agent that runs shell commands directly on your machine.

The Vulnerability

Claude Code has a permission system. You can configure deny rules — hard blocks on specific commands. Tell it “never run rm” and it won’t run rm. Tell it “never use curl” and curl is blocked. This is the primary security boundary between an AI agent with full shell access and everything on your workstation.

Except it breaks silently when a command contains more than 50 subcommands.

Chain together 50 harmless statements with &&, ||, or ; operators, then tack on the forbidden command at the end. Claude Code skips all per-subcommand security analysis — including your deny rules — and falls back to a generic prompt that can be auto-allowed. Your security policy just vanished.

The developer who configured “never run rm” has no idea it just ran rm. No warning. No error. No log entry. The lock was removed and nobody mentioned it.

Why It Exists

The answer is depressingly predictable: tokens cost money.

According to Adversa AI’s research, Anthropic’s internal engineering hit a performance problem. Checking every subcommand in a complex shell statement froze the UI and burned compute. Their solution? Stop checking after 50.

They traded security for speed. They traded safety for cost.

This is worth sitting with for a moment. Anthropic — the company that has built its entire brand on AI safety, the company preparing for an IPO on the back of responsible AI messaging — shipped a product where the security model breaks if you type too many commands in a row.

The Fix Already Exists

Here’s the part that should make you angry: the fix is already written. It’s in Anthropic’s own codebase. Their newer tree-sitter parser checks deny rules correctly regardless of command length. It’s written. It’s tested. It sits in the same repository.

It was never applied to the code path that ships to customers.

The secure version was built. It just wasn’t deployed to the 500,000+ developers using Claude Code in production.

The Attack Vector Is Trivial

This isn’t a theoretical concern. The attack vector is a poisoned CLAUDE.md file — the project configuration file that Claude Code reads when you open a repository. A malicious repo maintainer plants instructions that generate a long compound command. The victim clones the repo, asks Claude to “build the project,” and the deny rules silently disappear.

Credential theft. Secret exfiltration. Supply chain compromise. All from a git clone and a natural language prompt.

The Bigger Problem

This vulnerability is a preview of where the entire AI agent industry is headed. In agentic AI, security enforcement and product delivery compete for the same finite resource: tokens. Every deny-rule check, every permission validation, every sandbox boundary is inference cost that comes out of the same budget as the user’s actual work.

Right now, tokens are VC-subsidized. Companies are already cutting security corners at subsidized prices. When subsidies end and every token has real margin pressure, the incentive to skip security checks doesn’t improve — it gets worse.

Anthropic just showed us what that future looks like. And they’re supposed to be the safety-focused ones.

What You Should Do

If you’re using Claude Code — or any AI coding agent — in production:

  1. Don’t assume deny rules work. Test them with complex commands. Verify they actually block what you configured them to block.
  2. Sandbox your AI agents. Run them in containers or VMs with minimal permissions. Don’t give an AI tool the same access as your user account.
  3. Audit what ships. AI-generated code needs the same (honestly, more) scrutiny as human-written code. Review every shell command before execution.
  4. Watch your project config files. CLAUDE.md, .cursorrules, and similar files are attack surfaces. Treat them like you’d treat a .env file from an untrusted source.

The pattern here is clear: AI coding tools are moving fast, and security is consistently the thing that gets deprioritized when speed and cost compete. The tools won’t protect you. You need to protect yourself.

Think your vibe-coded project might have hidden vulnerabilities? Run a free scan on our homepage — it checks for the security gaps that AI tools leave behind.

← Back to all posts