According to @bcherny, Claude Code ships with a permission model that combines prompt injection detection, static analysis, sandboxing, and human oversight to control tool execution, as reported on Twitter and documented by Anthropic at code.claude.com/docs/en/permissions. According to the Anthropic docs, teams can run /permissions to expand pre-approved commands by editing allow and block lists and checking them into settings.json for organization-wide policy enforcement. According to @bcherny, full wildcard syntax is supported for granular scoping, for example Bash(bun run *) and Edit(/docs/**), enabling safer automation while reducing friction for common developer workflows. According to the Anthropic docs, this approach helps enterprises standardize guardrails, mitigate prompt injection risks, and accelerate adoption of agentic coding assistants in CI, repositories, and internal docs.

According to @mrnacknack on X, prompt injection attacks can dangerously weaponize AI assistants that have system access by exploiting hidden instructions in seemingly benign content. The detailed breakdown highlights a critical vulnerability, where an attacker embeds hidden white text in emails or documents. When a user asks their AI assistant, such as Claude, to summarize emails, the bot interprets these concealed instructions as system commands, potentially exfiltrating sensitive credentials like AWS keys and SSH keys without the user's knowledge. The same attack method is effective through SEO-poisoned webpages, PDFs, Slack messages, and GitHub pull requests, according to @mrnacknack. This underscores the urgent need for robust sandboxing and security controls when deploying AI assistants in environments with access to sensitive data.