What Can AI Agents Do to My Computer? Risks and Protections

AI agents running on your computer can do almost anything your user account can do — read every file, execute any command, install software, delete data, and send information over the network. They operate with your permissions, not their own. SafeClaw by Authensor restricts agent capabilities to only the specific actions your policy permits, enforcing deny-by-default gating on every file operation, shell command, and network request.

Everything an AI Agent Can Access

Here is a concrete breakdown of what an unrestricted AI agent can reach on a typical developer machine:

Filesystem Access

| Category | Examples | Risk Level |
|----------|----------|------------|
| Source code | ~/projects/, ~/repos/ | Medium — IP exposure |
| Credentials | .env, .aws/credentials, .ssh/id_rsa | Critical — account takeover |
| Git config | .gitconfig, .git-credentials | High — identity theft |
| Browser data | ~/.config/google-chrome/, ~/Library/Application Support/ | Critical — session hijacking |
| Shell history | .bash_history, .zsh_history | High — reveals commands, paths, passwords typed in shell |
| Personal files | ~/Documents/, ~/Downloads/, ~/Desktop/ | High — PII, financial docs |
| System configs | /etc/, /usr/local/etc/ | High — system modification |

Shell Command Execution

| Command Category | Examples | Consequence |
|-----------------|----------|-------------|
| Destructive | rm -rf, mkfs, dd | Data loss, disk wipe |
| Network | curl, wget, nc | Data exfiltration, downloading malware |
| Package install | npm install, pip install, brew install | Supply chain attack |
| Git operations | git push --force, git reset --hard | Code loss, history rewrite |
| Process control | kill, pkill | Service disruption |
| Permission changes | chmod, chown | Security weakening |

Network Access

• HTTP/HTTPS requests to any host
• DNS lookups
• WebSocket connections
• SMTP (email sending)
• SSH connections to remote hosts

Real Harm That Has Happened

These are not theoretical risks. Each has occurred in documented incidents:

1. Agent read .env and included AWS keys in generated code — committed to public GitHub, AWS account compromised within 12 minutes
2. Agent ran rm -rf on the wrong directory — deleted deployment scripts, 4 hours of downtime
3. Agent installed a typosquatted npm package — postinstall script exfiltrated all environment variables
4. Agent pushed untested code to main — broke production for 18,000 users
5. Agent sent database query results to an external analytics API — 140,000 user records exfiltrated

How to Protect Your Computer

Quick Start

npx @authensor/safeclaw

Comprehensive Protection Policy

# safeclaw.config.yaml
rules:
  # FILESYSTEM: Allow project access only
  - action: file.read
    path: "/home/dev/myproject/src/**"
    decision: allow

- action: file.read
    path: "/home/dev/myproject/package.json"
    decision: allow

- action: file.write
    path: "/home/dev/myproject/src/*/.{ts,js}"
    decision: allow

# Block all other file operations
  - action: file.read
    path: "**"
    decision: deny

- action: file.write
    path: "**"
    decision: deny

- action: file.delete
    path: "**"
    decision: deny

# SHELL: Allow tests only
  - action: shell.execute
    command_pattern: "npm test*"
    decision: allow

- action: shell.execute
    command_pattern: "npx tsc*"
    decision: allow

- action: shell.execute
    command_pattern: "**"
    decision: deny

# NETWORK: Block everything
  - action: network.request
    host: "**"
    decision: deny

What This Policy Does

The agent is confined to a single project directory. It can read source code, write source code, and run tests. It cannot:

• Read files outside the project
• Read credential files even inside the project
• Delete any files anywhere
• Run arbitrary shell commands
• Make any network requests
• Install packages
• Push to git

Why SafeClaw

• 446 tests cover every action type across filesystem, shell, network, and database operations
• Deny-by-default means your computer is fully protected from the moment you create a policy — new attack vectors hit a deny automatically
• Sub-millisecond evaluation has no impact on your workflow
• Hash-chained audit trail provides a complete record of every action the agent attempted on your machine

The Principle to Remember

An AI agent should have the minimum permissions necessary for its task. If it is writing code, it needs source file access and test execution. It does not need shell access, network access, credential access, or the ability to install software. Start with everything denied and add only what you observe the agent legitimately needs.

Related Pages

• Can AI Agents Access My Files?
• What If My AI Agent Goes Rogue?
• How Do I Sandbox an AI Agent?
• AI Agent Risks Explained
• Pattern: Least Privilege for Agents