Protected Paths & Sandboxing

⏱ Est. reading time: 3 min Updated on 5/8/2026

To prevent accidents or malicious injections, Claude Code has built-in guardrails that transcend standard permission modes.

Protected Paths

Even in acceptEdits or auto mode, Claude will always prompt for approval before writing to these paths:

  • Directories: .git, .vscode, .idea, .husky, .claude (with exceptions like agents).
  • Files: .gitconfig, .bashrc, .zshrc, .profile, .mcp.json.

Sandboxing

Permissions and sandboxing are complementary layers:

  • Permissions: Control if Claude decides to use a tool.
  • Sandboxing: OS-level isolation that restricts what the tool (Bash) can actually see or touch.

Defense in Depth

  1. Deny Rules: Prevent the agent from even trying a tool.
  2. Classifier (Auto Mode): Vets the intent of the tool call.
  3. Sandbox: Prevents a prompt injection from bypassing logic to access forbidden resources.

Note: Enabling sandboxing and setting autoAllowBashIfSandboxed: true will stop prompting for Bash actions, as the sandbox boundary replaces the prompt.

Related Tools & Resources

Skill Marketplaces

A

Awesome Cyber Skills

A curated list of hacking environments for AI agent developers to train and practice cybersecurity skills, enhancing agent capabilities in defense and offense.

Recommended Plugins

🛡️

Security Guidance

Security reminder hook that monitors 9 security patterns including command injection, XSS, eval usage, dangerous HTML, pickle deserialization, and os.system calls.

Related Products

📦

claude-howto

Claude How To by luongnv89 is a structured, visual, and example-driven guide designed to help users master Claude Code's features efficiently. It offers 10 tutorial modules, copy-paste configuration templates, Mermaid diagrams, and a guided learning path. The guide transforms users from basic Claude Code interactions to orchestrating advanced agents, hooks, skills, and MCP servers, addressing the gap in official documentation regarding practical guidance and a clear learning roadmap.