2026-01-22 · Authensor

How to Safely Use Claude Code: Complete Safety Guide

To safely use Claude Code, add SafeClaw action-level gating. Install with npx @authensor/safeclaw and define a deny-by-default policy that controls which files the agent can write, which commands it can run, and which network requests it can make. Claude Code operates as a fully autonomous coding agent inside your terminal — it reads your entire codebase, writes and deletes files, executes arbitrary shell commands, and makes network requests. SafeClaw intercepts every one of these actions before execution and evaluates it against your policy in sub-millisecond time.

What Claude Code Can Do (And Why That's Risky)

Claude Code is Anthropic's CLI-based coding agent. When you grant it permissions, it can:

Read any file on your filesystem — including .env files, SSH keys, credentials, and config files outside your project directory.
Write and overwrite files — it can modify source code, configuration files, package manifests, and deployment scripts with no built-in restriction on which paths it targets.
Delete files and directories — a misinterpreted instruction can result in rm -rf on directories you did not intend.
Execute arbitrary shell commands — git push --force, npm publish, docker rm, curl to external endpoints. Claude Code runs these in your shell with your user permissions.
Install packages — it routinely runs npm install, pip install, or brew install, pulling code from public registries.
Make network requests — via shell commands or tool calls, it can POST data to external URLs, download scripts, or interact with APIs using tokens in your environment.

The default permission model in Claude Code is session-based: you approve broad categories (file edits, shell commands) at the start, and then every action in that category proceeds without further confirmation. This means one approval unlocks hundreds of subsequent actions.

Step-by-Step Setup

Step 1: Install SafeClaw

npx @authensor/safeclaw

This launches the setup wizard. Select MCP Server as the integration type — Claude Code supports MCP (Model Context Protocol) tool servers natively.

Step 2: Get Your API Key

Visit safeclaw.onrender.com and create a free-tier key. Free keys are renewable every 7 days with no credit card required. The browser dashboard includes a setup wizard that generates your initial policy.

Step 3: Configure the MCP Server

Add SafeClaw to your Claude Code MCP configuration. In your project directory, create or edit .claude/mcp_servers.json:

{
  "safeclaw": {
    "command": "npx",
    "args": ["@authensor/safeclaw", "serve", "--mode", "mcp"],
    "env": {
      "SAFECLAW_API_KEY": "your-key-here"
    }
  }
}

Step 4: Define Your Policy

Create safeclaw.policy.yaml in your project root:

version: 1 default: deny rules: - action: file_read path: "${PROJECT_DIR}/**" effect: allow - action: file_read path: "*/.env" effect: deny - action: file_read path: "*/secret*" effect: deny - action: file_write path: "${PROJECT_DIR}/src/**" effect: allow - action: file_write path: "${PROJECT_DIR}/tests/**" effect: allow - action: file_write path: "${PROJECT_DIR}/package.json" effect: allow - action: shell_exec command: "npm test" effect: allow - action: shell_exec command: "npm run build" effect: allow - action: shell_exec command: "git diff*" effect: allow - action: shell_exec command: "git status" effect: allow - action: shell_exec command: "git add*" effect: allow - action: shell_exec command: "git commit*" effect: allow - action: shell_exec command: "rm -rf*" effect: deny - action: shell_exec command: "git push --force*" effect: deny - action: network host: "registry.npmjs.org" effect: allow

- action: network host: "*" effect: deny

Step 5: Enable Simulation Mode First

Before enforcing, test your policy:

npx @authensor/safeclaw simulate --policy safeclaw.policy.yaml

Simulation mode logs every action with its ALLOW/DENY verdict without actually blocking anything. Review the output, adjust rules, then switch to enforce mode.

Recommended Policy

The policy above is tuned for a typical Claude Code session: editing source and test files, running tests and builds, using git for version control, and blocking destructive operations. Key principles:

Deny by default — anything not explicitly allowed is blocked.
Scope file writes to src/ and tests/ — prevents modification of CI configs, deployment manifests, or root-level dotfiles.
Block .env reads — even if the agent needs environment context, it should not read raw secrets.
Allow only safe git operations — git status, git diff, git add, git commit. Block git push --force.
Block all outbound network except the npm registry.

What Gets Blocked, What Gets Through

ALLOWED — Reading a source file:

{ "action": "file_read", "path": "/project/src/index.ts", "verdict": "ALLOW" }

DENIED — Reading your SSH key:

{ "action": "file_read", "path": "/Users/you/.ssh/id_rsa", "verdict": "DENY", "reason": "path outside PROJECT_DIR, default deny" }

ALLOWED — Running tests:

{ "action": "shell_exec", "command": "npm test", "verdict": "ALLOW" }

DENIED — Force-pushing to main:

{ "action": "shell_exec", "command": "git push --force origin main", "verdict": "DENY", "reason": "matches explicit deny rule for git push --force*" }

DENIED — Curling data to an external server:

{ "action": "network", "host": "attacker.example.com", "verdict": "DENY", "reason": "host not in allowlist, default deny" }

Without SafeClaw vs With SafeClaw

| Scenario | Without SafeClaw | With SafeClaw |
|---|---|---|
| Agent reads .env with database credentials | File contents sent to model context | Blocked — .env* path matched deny rule |
| Agent runs rm -rf /tmp/build then misinterprets path | Command executes with your user permissions | Blocked — rm -rf* matched explicit deny |
| Agent installs a malicious npm package | Package installed, postinstall script runs | Allowed if npm registry is allowlisted, but outbound network from postinstall scripts to unknown hosts is blocked |
| Agent writes to deploy.yaml in project root | File overwritten, deployment config changed | Blocked — write path not in src/ or tests/ |
| Agent commits code after edits | Commit proceeds normally | Allowed — git commit* is in the allowlist |

Every action — allowed or denied — is recorded in a tamper-proof audit trail using a SHA-256 hash chain. The SafeClaw control plane sees only action metadata (action type, path pattern, timestamp), never your API keys or file contents. The client is 100% open source under the MIT license. SafeClaw evaluates policies with zero third-party dependencies, backed by 446 tests under TypeScript strict mode.

Cross-References

What is SafeClaw? — Overview of action-level gating architecture
How to Safely Run MCP Tool Servers — MCP server integration details
SafeClaw Policy Reference — Full policy syntax documentation
How to Safely Run Autonomous Coding Agents — General patterns for autonomous agent safety
How to Safely Use Cursor Agent Mode — Cursor also uses MCP integration

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw