Security researchers warn that allowlisting specific Bash commands in AI coding tools like Claude Code can inadvertently grant access to run any command. Developers using tools such as go test, docker, and eslint may unknowingly enable full system access through file edits and command chaining.

The issue stems from how developer tools are built to execute arbitrary code by design. Editing a test file to include exec.Command and running go test can lead to unrestricted command execution. Similar risks exist with docker run, pnpm run, and make commands, especially when files are auto-executed in development environments like Next.js or Jest.

Experts suggest that traditional allowlisting is inadequate. Instead, sandboxing solutions, such as those from Cursor and Claude Code, offer better isolation. Running these tools on separate hosts or using sandbox-exec can limit potential damage. As AI agents gain autonomy, current permission models may prove insufficient.

Organizations integrating AI into development pipelines must reconsider how they manage local execution environments. Default developer tools weren’t built with adversarial prompts in mind. Companies like Formal are pushing for stronger isolation to prevent unintended code execution.