2025-11-03 · Authensor

Can AI Agents Access My Files? Understanding Agent Permissions

Yes — most AI agents run with the same file permissions as your user account, which means they can read, write, and delete any file you can. This includes your .env files, SSH keys, browser cookies, shell history, and every file on your desktop. SafeClaw by Authensor restricts agent file access to only the paths you explicitly permit, using a deny-by-default policy that blocks all reads, writes, and deletes until you define allow rules.

What AI Agents Can Access Right Now

When you run an AI agent (Claude Code, Cursor Agent, Copilot Workspace, or any LangChain/CrewAI agent), it typically inherits your user-level permissions. Here is what that means:

Files agents can read (without any guardrails)

| Path | Contents |
|------|----------|
| ~/.env, .env.local | API keys, database URLs, secrets |
| ~/.ssh/id_rsa | SSH private key |
| ~/.aws/credentials | AWS access keys |
| ~/.gitconfig | Git identity and settings |
| ~/.bash_history | Every command you have ever run |
| ~/.config/ | Application configs, tokens, session data |
| ~/Downloads/ | Anything you have downloaded |
| ~/Documents/ | Personal and work documents |

Actions agents can take (without guardrails)

How SafeClaw Restricts File Access

SafeClaw intercepts every file operation at the action level. The agent cannot touch a file unless a policy rule explicitly allows it.

Quick Start

npx @authensor/safeclaw

Policy: Lock Down File Access

# safeclaw.config.yaml
rules:
  # Allow reading project source code
  - action: file.read
    path: "/home/dev/project/src/**"
    decision: allow


- action: file.read
    path: "/home/dev/project/tests/**"
    decision: allow



- action: file.read
    path: "/home/dev/project/package.json"
    decision: allow



# Allow writing to source code only
  - action: file.write
    path: "/home/dev/project/src/*/.{js,ts}"
    decision: allow



# Block everything outside the project
  - action: file.read
    path: "**"
    decision: deny
    reason: "File read outside project directory is blocked"



- action: file.write
    path: "**"
    decision: deny
    reason: "File write outside project source is blocked"



- action: file.delete
    path: "**"
    decision: deny
    reason: "All file deletion is blocked"

This policy confines the agent to your project's src/ and tests/ directories for reads, and only src/ for writes. It cannot read your SSH keys, .env files, browser data, or anything outside the project.

Common Questions

"But I gave the agent a project directory — does it stay there?"

Not necessarily. Many agents resolve relative paths, follow symlinks, and read configuration files that reference other paths. An agent working in ~/project/ might follow an import to ~/shared-libs/ or read ~/.npmrc to resolve a registry URL. Without a policy, there is no boundary.

"Does the agent need to read .env to work?"

Usually not. Your application reads .env at runtime. The agent should read your source code to understand the config structure and use placeholder values. If it needs a specific config value, it should ask you — not read the file.

"What about VS Code extensions and IDE agents?"

IDE-integrated agents (Cursor, Copilot) run within the IDE process, which has the same file access as the IDE itself — your full user permissions. SafeClaw gates file access regardless of how the agent is invoked.

Why SafeClaw

Check What Your Agent Is Accessing

Before writing a policy, use SafeClaw's simulation mode to discover what files your agent actually touches:

mode: simulation

Run your normal workflow. Review the audit log. You will likely be surprised by how many files the agent reads beyond what you expected.

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw