A scrape of 18,470 Claude Code configs on GitHub shows a pattern: developers are handing their AI agents the keys to the castle.
Unrestricted file, shell, and network access is common. Among them:
- 21.3% let Claude run curl
- 14.5% allow arbitrary Python execution
- 19.7% give it git push privileges
That’s how a prompt injection turns into full-blown RCE or a supply chain breach.
