In my previous post, I explained the concept of the folder trust gap in AI agents. And today someone released a new article which describes such vulnerabilities in Claude Code. Nothing new except an interesting attack vector with environment variables.

Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files…

I have copied and pasted the content of the article here for your reference

When a victim clones the repository and runs claude, their API key would be sent directly to the attacker’s server – before the victim decides to trust the directory. No user interaction required.

This is fascinating, it is not a command executed on your machine, but it is a data exfiltration attack. The attacker can steal your API key without you even realizing it.