Security Threat Model

• Episode ID: epi-20260409-48f2f9f7d2ca
• Scope: shared
• Created: 2026-04-09T20:23:03Z

Question

What are the security vulnerabilities and attack vectors in Claude Code?

Summary

Claude Code has 8 security layers from build-time elimination to server-side kill switches. Despite this, fundamental vulnerabilities exist because the safety mechanism and attack surface are the same thing — safety enforcement is inside the model reasoning layer. Key attack vectors: compaction laundering (malicious CLAUDE.md instructions survive compaction), 50-subcommand deny-cap bypass (Adversa AI CVE), 3-parser bash differentials, and early-allow short-circuits in validators. The 29-30% false-claims rate and 3.2% secret leak rate (2x baseline) are measurable consequences of missing post-edit verification in external builds.

Findings

• Compaction laundering turns a cooperative model into an unwitting proxy — the model is not jailbroken, the context is weaponized
• 4 CVEs share the same root cause: safety boundary is inside the model reasoning layer, not below it
• Auto mode classifier has 17% false-negative rate on real overeager actions
• Claude Code commits leak secrets at 3.2% rate vs 1.5% baseline per GitGuardian 2026

Lessons

• The safety mechanism and the attack surface are the same thing — Canyon Road one-sentence critique
• Self-verification does not work for LLMs — a 3-layer agent-verifier-auditor system is needed

References

none