How to Prevent AI from Creating New Files Outside a Project

SafeClaw by Authensor prevents AI agents from creating files outside your designated project directory through path-scoped deny-by-default rules. Any file.write or file.create action targeting a path outside your project is automatically blocked. Install with npx @authensor/safeclaw and file creation is contained to your project from the very first action.

Why This Is Important

An AI agent that can create files anywhere on your filesystem poses serious risks. It could drop executable scripts in your home directory, create cron jobs, write to system configuration directories, place files in other projects, or create hidden files that persist after the session ends. Containing file creation to a single directory limits the blast radius of any unintended behavior.

Step 1: Install SafeClaw

npx @authensor/safeclaw

Works with Claude Code, OpenAI agents, and all major agent frameworks. Zero dependencies, MIT licensed.

Step 2: Allow File Creation Only in Your Project

# safeclaw.policy.yaml
rules:
  # Allow creating files within the project
  - action: file.create
    path: "/home/user/projects/my-app/**"
    effect: allow
    reason: "File creation allowed within the project directory"

- action: file.write
    path: "/home/user/projects/my-app/**"
    effect: allow
    reason: "File writes allowed within the project directory"

# Deny file creation everywhere else
  - action: file.create
    path: "**"
    effect: deny
    reason: "File creation outside the project directory is blocked"

- action: file.write
    path: "**"
    effect: deny
    reason: "File writes outside the project directory are blocked"

Step 3: Block Specific Dangerous Locations

For extra safety, explicitly deny file creation in high-risk directories:

rules:
  - action: file.create
    path: "~/.local/bin/**"
    effect: deny
    reason: "Cannot create executables in user bin"

- action: file.create
    path: "~/.config/autostart/**"
    effect: deny
    reason: "Cannot create autostart entries"

- action: file.create
    path: "/tmp/**"
    effect: deny
    reason: "Cannot create files in /tmp (persistence risk)"

- action: file.create
    path: "~/.cron*"
    effect: deny
    reason: "Cannot create cron-related files"

- action: file.create
    path: "/usr/**"
    effect: deny
    reason: "Cannot write to system directories"

Step 4: Handle mkdir Commands

An agent might try to create directories outside your project using shell commands:

rules:
  - action: shell.execute
    command_pattern: "mkdir *"
    working_directory: "/home/user/projects/my-app"
    effect: allow
    reason: "Allow mkdir within the project"

- action: shell.execute
    command_pattern: "mkdir *"
    effect: deny
    reason: "Block mkdir outside the project"

Also block touch, which creates empty files:

rules:
  - action: shell.execute
    command_pattern: "touch /home/user/projects/my-app/**"
    effect: allow
    reason: "Allow touch within the project"

- action: shell.execute
    command_pattern: "touch *"
    effect: deny
    reason: "Block touch outside the project"

Step 5: Protect Against Path Traversal

An agent might try to escape the project directory using relative paths:

rules:
  - action: file.create
    path: "/home/user/projects/my-app/**"
    resolve_symlinks: true
    effect: allow
    reason: "Allow creation only when resolved path is in project"

SafeClaw resolves all paths to their canonical form before evaluation. A path like /home/user/projects/my-app/../../.bashrc resolves to /home/user/.bashrc and is denied.

Step 6: Test and Audit

npx @authensor/safeclaw --simulate

Ask your agent to create a file outside the project. The log confirms:

[DENIED] file.create: "/home/user/test-script.sh"
  Rule: "File creation outside the project directory is blocked"

Review the hash-chained audit trail:

npx @authensor/safeclaw audit --filter "action:file.create"

Every file creation attempt — allowed or denied — is recorded with a tamper-proof hash chain.

Temporary Files

If your agent needs to write temporary files (for test output, build artifacts, etc.), scope them to a temp directory within your project:

rules:
  - action: file.create
    path: "/home/user/projects/my-app/.tmp/**"
    effect: allow
    reason: "Allow temp files within the project"

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers.

Related Pages

• How to Limit an AI Agent to One Directory
• How to Make an AI Agent Read-Only (No Write Access)
• Deep Dive: Filesystem Isolation for AI Agents
• How to Prevent AI from Modifying package.json