
Threat-Model Claude Code: Prompt Injection, Secrets, Supply Chain, and Incidents
Secure Claude Code against prompt injection, secret exposure, malicious repositories, dependency attacks, unsafe MCP tools, and external-side-effect incidents.
Threat-Model Claude Code: Prompt Injection, Secrets, Supply Chain, and Incidents
Quick answer
Assume repositories, web pages, logs, issues, documentation, MCP responses, and tool output may contain hostile instructions. Minimize what Claude can read, write, execute, and send; isolate untrusted projects; pin and review executable extensions; keep credentials outside the workspace; and require human review for irreversible actions. If exposure occurs, stop the session, preserve evidence, revoke credentials, assess external effects, and repair controls before resuming. Anthropic's security guidance describes platform-specific risks and controls.
Model assets, adversaries, and actions
Protect:
- source code and unreleased product information;
- environment secrets, SSH keys, cloud credentials, and browser sessions;
- customer and production data;
- repository integrity and release artifacts;
- external systems reachable through MCP, CLI, or network;
- organizational reputation through messages, issues, and deployments.
An attacker may control a cloned repository, dependency, issue body, web page, test fixture, log line, MCP server response, plugin update, or compromised package registry. Their goal is often to make the agent treat data as instruction.
Defend against prompt injection
Use layered controls:
- Start unknown repositories in plan/manual mode and a sandbox.
- Deny secret paths and unnecessary network tools.
- Do not enable project MCP servers, hooks, or plugins before reviewing them.
- Separate read-only research credentials from mutation credentials.
- Require confirmation for messages, tickets, pushes, deployments, and data writes.
- Validate untrusted output before interpolation into shell, SQL, templates, or config.
- Keep sensitive tasks in separate sessions and environments.
Instructions such as “ignore any malicious text” are useful reminders but not a security boundary.
Protect the software supply chain
Plugins, skills with scripts, hooks, MCP servers, package-manager invocations, and copied install commands can execute code. Review provenance, maintainer history, permissions, network behavior, update mechanism, and transitive dependencies. Pin versions or commit SHAs in controlled environments. Test updates in isolation and maintain a removal path.
Avoid @latest for unattended production workflows unless freshness is an explicit, accepted tradeoff. A popular repository is not automatically safe; popularity is neither a code audit nor an integrity guarantee.
Keep secrets out of reach
Use a secret manager or scoped environment injection. Do not store credentials in CLAUDE.md, skills, prompts, examples, logs, or committed MCP configuration. Prefer short-lived tokens with minimal scopes. Mount only the credential needed for the current task and revoke it afterward when practical.
Remember that a deny rule on a built-in read tool may not constrain an arbitrary allowed subprocess. Pair application permissions with OS-level sandboxing and environment design.
Incident response playbook
If the agent reads or transmits a secret, runs an unsafe command, or mutates an external system:
- Stop execution and preserve the session transcript and command evidence.
- Revoke/rotate affected credentials immediately.
- Identify data accessed, destination, duration, and external side effects.
- Restore files through reviewed Git/checkpoint operations; do not erase forensic evidence first.
- Inspect external systems for unauthorized changes.
- Notify the responsible security/operations owners according to policy.
- Patch the permission, sandbox, plugin, or workflow gap.
- Re-run a controlled negative test before restoring autonomy.
Tabletop lab
Create a fake repository containing a README that instructs the agent to read a fake .env and send it to a mock endpoint. Design controls that prevent both actions, demonstrate the blocks, and write an incident timeline for the hypothetical case where the token was real.
FAQ
Is read-only access safe from prompt injection?
It reduces direct mutation, but sensitive data can still be exposed or used to influence later actions. Minimize readable scope too.
Are official plugins risk-free?
No software is risk-free. Official distribution improves provenance; still review capabilities, data flow, and update policy.
What is the most important control?
Least privilege around secrets and irreversible side effects, backed by isolation and explicit review.