How to Limit AI Agent File Access

To limit which files your AI agent can read and write, define a deny-by-default SafeClaw policy that allow-lists specific directories and blocks sensitive paths. SafeClaw evaluates every file_read and file_write action against your policy before the agent touches the filesystem. This gives you directory-level, file-level, and pattern-level control over all file operations. Install with npx @authensor/safeclaw.

Why File Access Control Matters

AI agents run with the same filesystem permissions as the user account that launches them. If you can read ~/.ssh/id_rsa, your agent can read it. If you can write to /etc/hosts, your agent can write to it. Operating system file permissions do not help because the agent is you, from the OS perspective.

The Clawdbot incident demonstrated the consequences: an agent with unrestricted file read access ingested credential files containing 1.5 million API keys, then exfiltrated them over the network. The agent had no malicious intent — it simply had access to files it should never have touched.

File access control for AI agents requires a layer that sits between the agent and the filesystem, evaluating every read and write request against an explicit policy. SafeClaw provides this layer.

Step 1: Install SafeClaw

npx @authensor/safeclaw

Zero third-party dependencies. 100% open source client under the MIT license. 446 tests in TypeScript strict mode.

Step 2: Get Your Free API Key

Visit safeclaw.onrender.com. Free tier with 7-day renewable key, no credit card required.

Step 3: Define Your File Access Policy

The following policy demonstrates comprehensive file access control with 18 rules covering common development environments:

version: "1.0"
default: deny

rules:
  # ── BLOCKED PATHS (sensitive files) ────────────────────────

# Credential and secret files
  - action: file_read
    path: "**/.env"
    decision: deny
    reason: "Environment files contain secrets"

- action: file_read
    path: "*/.env."
    decision: deny
    reason: "Environment variant files contain secrets"

- action: file_read
    path: "**/credentials.json"
    decision: deny
    reason: "Credential files blocked"

- action: file_read
    path: "**/secrets.yaml"
    decision: deny
    reason: "Secret config files blocked"

# SSH keys and certificates
  - action: file_read
    path: "~/.ssh/**"
    decision: deny
    reason: "SSH keys are never agent-accessible"

- action: file_read
    path: "*/.pem"
    decision: deny
    reason: "Certificate files blocked"

- action: file_read
    path: "*/.key"
    decision: deny
    reason: "Private key files blocked"

# Cloud provider credentials
  - action: file_read
    path: "~/.aws/**"
    decision: deny
    reason: "AWS credentials blocked"

- action: file_read
    path: "~/.gcloud/**"
    decision: deny
    reason: "Google Cloud credentials blocked"

- action: file_read
    path: "~/.azure/**"
    decision: deny
    reason: "Azure credentials blocked"

# System configuration
  - action: file_write
    path: "/etc/**"
    decision: deny
    reason: "System configuration is read-only to agents"

- action: file_write
    path: "~/.bashrc"
    decision: deny
    reason: "Shell config modification blocked"

- action: file_write
    path: "~/.zshrc"
    decision: deny
    reason: "Shell config modification blocked"

# ── ALLOWED READ PATHS ─────────────────────────────────────

# Source code directories
  - action: file_read
    path: "./src/**"
    decision: allow
    reason: "Agent can read source code"

- action: file_read
    path: "./lib/**"
    decision: allow
    reason: "Agent can read library code"

- action: file_read
    path: "./tests/**"
    decision: allow
    reason: "Agent can read test files"

# Configuration files (non-secret)
  - action: file_read
    path: "./package.json"
    decision: allow
    reason: "Agent can read package manifest"

- action: file_read
    path: "./tsconfig.json"
    decision: allow
    reason: "Agent can read TypeScript config"

- action: file_read
    path: "./*.md"
    decision: allow
    reason: "Agent can read documentation"

# ── ALLOWED WRITE PATHS ────────────────────────────────────

# Output directories only
  - action: file_write
    path: "./output/**"
    decision: allow
    reason: "Agent can write to output directory"

- action: file_write
    path: "./dist/**"
    decision: allow
    reason: "Agent can write build artifacts"

# Source modifications require approval
  - action: file_write
    path: "./src/**"
    decision: require_approval
    reason: "Source code changes need human review"

How This Policy Works

Deny-by-default means any file path not matching an explicit allow rule is blocked. If your agent tries to read /var/log/syslog or write to ~/Documents/personal.txt, the action is denied without needing a specific rule for those paths.

First-match-wins means rules are evaluated top to bottom. The first matching rule determines the decision. Place deny rules for sensitive paths before broader allow rules to ensure sensitive files are blocked even if they fall within an allowed directory pattern.

Separate read and write controls give you granular permissions. An agent that can read ./src/** does not automatically get write access. You can allow reads broadly while restricting writes to specific output directories.

Step 4: Test with Simulation Mode

SAFECLAW_MODE=simulation npx @authensor/safeclaw

Run your agent through its standard workflows. The audit log records every file operation the agent attempts and whether the policy would allow or deny it. Review the log for:

• False denials: Legitimate file reads being blocked because the path is not in your allow list. Add allow rules for these paths.
• Unexpected access attempts: File paths you did not expect the agent to access. Investigate why the agent needs these files.
• Sensitive path hits: Any attempts to access credential files, SSH keys, or cloud provider directories. These should be denied.

Step 5: Enforce

SAFECLAW_MODE=enforce npx @authensor/safeclaw

Policy evaluation completes in sub-millisecond time. Your agent's performance is unaffected.

Common File Access Patterns

Coding Agent (e.g., Claude Code, Cursor)

Allow reads on the project directory. Allow writes on src/ with approval. Block everything outside the project root.

Data Processing Agent

Allow reads on the data input directory. Allow writes on the output directory. Block reads on any directory containing PII or credentials.

CI/CD Agent

Allow reads on the repository. Allow writes to build artifact directories. Allow specific shell commands (npm test, npm run build). Block credential file reads.

Research Agent

Allow reads on the documents directory. Allow writes to a notes/output directory. Block network access to prevent data exfiltration. Block all shell execution.

Verifying Your Policy

After enforcement, review the audit trail at safeclaw.onrender.com. Every file operation is logged with a SHA-256 hash chain — tamper-proof and exportable for compliance audits. The trail shows action type, file path, policy decision, matched rule, and timestamp.

SafeClaw's control plane sees only action metadata (file paths and decisions). It never sees file contents, and it never reads or transmits your actual files.

Cross-References

• How to Prevent AI Agents from Reading .env Files
• How to Prevent AI Agents from Accessing SSH Keys
• Policy Rule Syntax Reference
• Simulation Mode Reference
• Least Privilege for AI Agents