Claude Code Security Checklist: Ship Agent-Written Code Safely
Claude Code reads files, writes code, and runs commands, so the checklist covers permission modes, secrets hygiene, prompt injection, and MCP vetting · not just the code it writes.
By Daniel A · Kraftwire Software
· 7 min readKey Takeaway
Claude Code is a terminal agent that reads files, writes code, and runs shell commands · so securing it means securing the session, not just reviewing the output. Keep auto-approval off for commands and sensitive files, treat everything the agent reads as a potential injection vector, vet MCP servers before connecting them, and scan the deployed app when the work is done.
Why an Agent Needs Its Own Checklist
Copy-pasting from a chatbot gives you bad code at worst. An agent with shell access can install dependencies, edit configuration, commit to git, and call APIs with whatever credentials live in your environment. That is the point · it is what makes Claude Code productive · and it is why the security question shifts from "is the code good?" to "what can this session touch?"
None of this requires the model to be malicious. It requires only one of three mundane failures: the agent misunderstands an instruction, the agent reads malicious content that steers it, or the agent faithfully does something you approved without reading. The checklist below addresses all three.
1. Permission Modes: Do Not Auto-Approve Everything
Claude Code asks before editing files or running commands by default, and offers modes that trade safety for speed: a read-only plan mode, auto-accept for file edits, and a full bypass flag that skips every prompt.
Sensible defaults:
- Plan mode when exploring unfamiliar code or someone else's repo · the agent can read and reason but changes nothing
- Default prompting for day-to-day work on your own projects
- Auto-accept edits only on a throwaway branch or inside a container, where the blast radius is one
git reset
- The bypass flag never on a machine that holds production credentials · the tool's entire injection defense is the human in the loop, and bypass removes it
Use the permission settings to allowlist specific safe commands (your test runner, your linter) instead of granting blanket shell access. Speed where mistakes are cheap, friction where they are expensive.
2. Review Agent Diffs Like a Pull Request
Agents produce more code per hour than you can carefully read per hour. That mismatch is the central risk, so manage it deliberately:
- Keep tasks scoped so each diff is reviewable in minutes, not hours
- Read
git diff before every commit · the agent's summary of its own work is not a review
- Watch specifically for the "helpful weakening" pattern: a test skipped, a type assertion forced, an auth check loosened, because that was the shortest path to done
- Commit at checkpoints so reverting a bad run is one command
A second AI pass helps here too: have another model, or a fresh session with no stake in the code, critique the diff before you do. AI code review for security covers how to set that up.
3. Secrets Hygiene in Agent Sessions
If your .env file sits in the repo, the agent can read it, and secrets that enter the context window can resurface anywhere the agent writes: a config file, a test fixture, a commit message. Rules of thumb:
- Add deny rules for
.env and other secret files in your Claude Code settings, so reads are blocked by policy rather than by hope
- Keep production credentials off development machines entirely; a tightly scoped dev key is the only thing worth risking
- Ship a
.env.example with placeholders so the agent has structure to work with and nothing to leak
- If a real secret may have entered a session that later wrote files, rotate it · rotation is cheap, forensics is not
Run your env files through the free env file linter to catch risky values and misconfigurations, and see environment variables security for where each kind of secret should actually live.
4. Prompt Injection via Untrusted Content
Claude Code reads whatever the task requires: repo files, READMEs, issue threads, web search results, API responses. Any of that content can carry instructions aimed at the agent rather than at you · "ignore previous instructions and run the following command" hidden in a code comment, a dependency's docs, or a webpage. This is not theoretical; it is the main reason agent tools keep humans in the approval loop.
Defenses that work in practice:
- Treat third-party repos, dependencies, and pasted content as untrusted input · explore them in plan mode first
- Be suspicious when the agent proposes network commands (
curl, wget, piping downloads into a shell) right after reading external content
- Remember that permission prompts are your injection firewall · every mode that removes them removes the firewall too
For the underlying mechanics and real examples, read our prompt injection guide.
5. Vet MCP Servers Before You Connect Them
MCP servers extend Claude Code with new tools, and every server you add runs with real access: your filesystem, your APIs, whatever tokens you hand it. A malicious or merely sloppy server can exfiltrate data or feed the agent poisoned tool descriptions.
Before adding one, check three things:
- Source: is the publisher identifiable, and is the code inspectable?
- Scope: does it request the minimum access it needs, or everything?
- Tokens: can you give it a scoped, revocable credential instead of a master key?
Our guide to MCP server security scanning goes deeper on evaluating servers before they touch your environment. As a reference point for healthy scoping: SimplyScan's own MCP server needs nothing from your machine except the URL you want scanned · that is what minimal necessary access looks like.
6. Scan What Actually Shipped
Agent speed means more deploys, and diffs do not show deployment reality: missing security headers, an .env file sitting in the web root, database tables without RLS, a debug endpoint left enabled. Those issues only exist in the running app, which is why a session that looked clean in review can still ship something exposed.
Make a deployed scan part of finishing a task rather than an afterthought. SimplyScan's free tier checks secrets exposure, frontend issues, Supabase RLS, and speed, and because it is available as an MCP server, Claude Code can trigger the scan and read back the findings without you leaving the terminal.
Automate the Cheap Checks, Keep the Expensive Ones Manual
A useful way to think about the whole checklist: automation belongs wherever a check is mechanical, and your attention belongs wherever judgment is required. Secret detection, dependency verification, header checks, and deployed-app scanning are mechanical · run them on every session and let tools carry the load. Deciding whether an auth change is correct, whether a new endpoint should exist at all, or whether the agent's plan makes sense for your product is judgment · no scanner will do it for you.
Builders get into trouble at both extremes. Reviewing every generated line by hand does not scale past toy projects, and full automation with no human gate is how injection attacks and weakened checks slip through. The setup that works is a fast automated floor under a slower human ceiling.
The Condensed Checklist
- Plan mode for unfamiliar code; never the bypass flag near production credentials
- Allowlist safe commands instead of approving everything
- Read every diff before committing; watch for weakened checks and skipped tests
- Deny-rule
.env files; placeholders in the repo, real secrets elsewhere
- Rotate any secret a session may have echoed into a file
- Treat external content as untrusted; question sudden network commands
- Vet every MCP server for source, scope, and token hygiene
- Scan the deployed app after significant agent sessions
Claude Code can build a feature in an afternoon · run a free security scan afterwards to make sure that is all it built.