Prompt injection via README files, MCP tool poisoning, OAuth token theft, sandbox escape via shell hooks, and the April 2026 SDK RCE flaw — five real attack surfaces in the default Claude Code install. Here are the four settings.json flags that close 90% of the holes, and the one that cannot be fixed without a workflow change.
Claude Code is the best coding assistant most engineering teams have ever shipped to their developers. It is also a default install with several footguns most engineering managers have not audited. Five real attack surfaces, four config flags that close 90% of the holes, and the one issue that requires a workflow change — not a setting change.
The five attack surfaces
1. Prompt injection via README files
A malicious README file in a third-party repository can contain instructions the model follows. Most well-known attack: a README that tells the agent to leak environment variables to an attacker-controlled URL. Counter: do not auto-attach files from untrusted repos. Disable auto-context-loading for any path outside the project root.
2. MCP tool poisoning
Connectors installed from the MCP marketplace can be malicious or compromised. A poisoned connector exposed at the wrong moment can exfiltrate code, credentials, or data. Counter: review every connector before installing; pin versions; sanity-check what tools each connector registers.
3. OAuth token theft via prompt injection
Claude Code stores OAuth refresh tokens locally for connectors. Prompt-injection attacks have demonstrated extracting these tokens via the agent's own file-read capabilities. Counter: scope OAuth tokens to the minimum required, rotate them on a schedule, and disable file reads outside the project root by default.
4. Sandbox escape via shell hooks
The agent can shell out. Hooks that run on tool-call events can be configured to run arbitrary commands. A misconfigured hook combined with a prompt injection can give an attacker a shell on your developer's machine. Counter: review every hook configuration; require approval for any new hook; never run agents in privileged mode.
5. The April 2026 SDK RCE
The Anthropic SDK had a remote-code-execution flaw disclosed and patched in April 2026. Teams running the unpatched SDK were vulnerable to RCE through any input the SDK processed. Counter: pin SDK versions; subscribe to Anthropic's security advisories; have a written process for emergency dependency upgrades.
The default Claude Code install is a footgun in any repo with third-party dependencies. Four config flags close 90% of the holes.
The four flags that close most of the holes
- `autoContext: { allowOutsidePath: false }` — blocks auto-loading of files outside the project root.
- `hooks: { requireApproval: true }` — every new hook needs explicit human approval.
- `tools: { defaultDeny: true }` — only allowlisted tools can run; everything else is denied by default.
- `network: { egressAllowlist: [...] }` — restricts outbound HTTP to a known set of hosts.
The one that requires a workflow change
OAuth token storage. There is no setting that makes long-lived tokens safe in a developer agent that has file-read access by design. The fix is operational: rotate tokens weekly, scope them to the narrowest possible permission set, and treat every developer's agent as a potential breach point. Some teams move to short-lived tokens issued via a session manager — that's the right answer if you have a security team.
Most engineering teams adopt Claude Code in two stages: ship it to power users on default settings, then come back six months later when something almost goes wrong. Start with the four flags this afternoon. The OAuth fix can wait for the security review — but put it on the calendar.