Recent CVE disclosures (CVE-2025-59536, CVE-2026-21852) showed that malicious .claude/settings.json files in cloned repos can execute arbitrary shell commands and exfiltrate API keys. Anthropic patched these specific vulnerabilities, but a broader question remains: what is Claude Code allowed to do on your machine right now?

I built a one-command audit to answer that question.

The one-liner

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/safety-check/check.sh | bash

No installation. No dependencies beyond bash and python3. Takes about 2 seconds.

What it checks

The script inspects ~/.claude/settings.json and scores 9 items across 5 categories: destructive command protection (bash-guard, git-safe), file protection (file-guard, branch-guard), observability (session-log), efficiency (read-once), and built-in permission rules.

Each check is weighted by blast radius. Unrestricted bash commands (weight 20) score higher than token-saving hooks (weight 10). The total gives you a grade from A to F.

Every failed check shows a one-liner install command. If you’re missing 3+ hooks, it suggests installing them all at once.

Why this matters

Even without attackers, Claude Code has broad access by default. It can run rm -rf / if you approve without reading carefully, force-push and destroy branch history, read .env files, and commit directly to main.

Hooks add a deterministic safety layer that works regardless of what the model decides to do.

Try it

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/safety-check/check.sh | bash