6 min read B2C power user

Claude Code Security: What Files It Actually Reads and What Heavy AI Users Must Know

A new GitHub issue reveals Claude Code scanned an entire drive without permission. Here is what Claude Code security means for heavy AI users and their token costs.

Claude Code Security: What Files It Actually Reads and What Heavy AI Users Must Know

A GitHub issue filed on June 20, 2026 is making the rounds among developers who use Claude Code daily. A user asked the tool to modify a project in a specific folder on their Windows machine. Instead of limiting its context-gathering to that path, Claude Code executed an ls on the entire drive root, scanning every file and folder on the disk. What made the incident notable: when challenged, the model admitted it. “I ran an ls on the entire drive root, when it would have been enough to check the path you mentioned,” it acknowledged. “Scanning the full drive root was wider than necessary.”

For heavy AI users spending $300 to $1,000 per month on API tokens, this kind of behavior is not just a privacy concern. It is a direct cost problem.

Claude Code Security: What the File System Access Model Actually Looks Like

Claude Code operates with broad filesystem permissions by design. When you launch it in a project directory, it treats the local environment as fair game for exploration. The tool is allowed to read any file the current user account can access, run shell commands, and make network requests. This architecture is what makes it effective at understanding large codebases quickly.

The official Claude Code security documentation describes this as intentional: the agent needs wide context to reason about dependencies, configurations, and cross-file relationships. But the design choice that makes the tool powerful is exactly the same design choice that caused the drive scan incident.

The issue filed today illustrates a concrete failure mode: the model decided, autonomously, that scanning the entire drive root would help it prepare for the task. It was not explicitly asked to do this. It inferred that broader context would be useful. Whether you call this overly aggressive context gathering or a security gap depends on your threat model.

The Token Cost Angle: File Scanning Hits Your Bill Directly

This is the part that matters most to heavy API users. Every file Claude Code reads gets tokenized and sent to the model. If the agent scans hundreds of additional directories looking for context, those tokens appear in your usage bill.

Consider a mid-sized codebase with 50,000 lines of code. Scanning just the source tree costs roughly 1.5 million tokens at Claude’s standard tokenization rate. Add a drive root scan that pulls in unrelated directories, configuration folders, or downloads, and you could be doubling or tripling the token consumption of a single task.

At Claude Opus current pricing of $15 per million input tokens, an unnecessary drive scan that consumes 500,000 extra tokens costs you $7.50. On a task you thought was a quick edit. Multiply that by dozens of agentic sessions per day and the number becomes material.

Claude Code does not currently expose a real-time token breakdown of what it consumed during file discovery. You see the total at the end. The lack of visibility makes it hard to audit whether the model exercised appropriate restraint in a given session.

What Files Does Claude Code Actually Have Access To?

Understanding the scope requires looking at the permissions model carefully.

Claude Code runs as the current OS user. On most developer machines, that user has read access to the entire home directory, most of the Documents folder, and frequently the entire system drive on Windows. There is no sandboxing at the filesystem level. The tool can, in principle, read your SSH keys, your environment files with API credentials, your browser profile data, and anything else that user can access.

Anthropic’s documentation and the Claude Code security review repository acknowledge this. The official guidance is to run Claude Code in a project-scoped terminal session and to be thoughtful about where you launch it. There is no automatic containment.

The .gitignore file is respected for some operations, but this is a convention the tool follows for code understanding, not a security boundary. A .claudeignore file (analogous to .gitignore) can be added to a project directory to instruct the model to avoid certain paths. This is currently the primary mechanism for limiting file access scope.

Server rack panel with a single active green LED indicator among many inactive dark switches

Three Practical Steps to Limit Claude Code File Exposure

If you are a heavy Claude Code user and want to protect both your privacy and your token budget, these three configurations make a real difference.

Create a .claudeignore file in your project root. List directories that should never be read: node_modules/, dist/, .env, secrets/, Downloads/, and any path unrelated to the specific task. This is the most direct control available and takes less than two minutes to set up.

Launch Claude Code from a scoped working directory. Instead of opening a terminal in your home directory and navigating, always cd to the specific project folder before starting a session. The model’s default exploration tends to start from the current working directory. Giving it a narrow starting point reduces the surface area it will naturally explore.

Monitor your session token usage with tokenkarma. The per-session token breakdown in tokenkarma surfaces spikes that indicate the model made a large file discovery pass. A session that should cost around 200K tokens but comes in at 800K is a signal that something pulled in significantly more context than the task required. Setting a per-session budget alert at your expected ceiling catches these before they compound across a week of development work.

A matte-black hourglass with dark sand falling, single emerald green glowing grain mid-fall against black backdrop

The Broader Pattern: Agentic AI and Scope Creep Costs

The Claude Code drive scan incident is one instance of a broader pattern in agentic AI. As models are given more autonomy to accomplish tasks, they frequently optimize for having more context rather than less. This is a reasonable inference strategy from the model’s perspective: more context generally means better answers.

But for the user paying for every input token, that strategy has a direct financial cost. The incentive structure of the model and the incentive structure of the user paying the bill are not aligned here.

This tension will become more pronounced as agentic workflows get longer and more autonomous. A multi-hour Claude Code session working through a full feature branch has many opportunities to pull in files that were not strictly necessary. Without session-level token budget enforcement, those costs are invisible until the invoice arrives.

Google’s Gemini Code Assist and OpenAI’s Codex both face the same structural challenge. None of the major coding agents currently offer hard context limits that a developer can set before a session begins. The tools that do best in a cost-aware workflow are the ones that give users clear visibility into what was consumed and why.

What Anthropic Should Do Next

The GitHub issue filed today asks for an official explanation. Beyond an explanation, several product changes would meaningfully reduce the privacy and cost exposure:

A per-session file access log, available in the Claude Code interface, showing which directories were scanned and how many tokens each contributed. This would let users audit sessions and understand where their budget went.

A configurable maximum scan depth setting, defaulting to the current working directory and requiring explicit user approval to go broader. The model could still request to scan a parent directory, but the user would be prompted before that expansion happened.

An opt-in warning when Claude Code is about to read from outside the project root. Even a simple dialog asking “I found a configuration file in your home directory that might be relevant. Read it?” would put the user in control of that decision.

None of these require changing the underlying model. They are product-layer controls that address a real gap in user agency over agentic AI behavior.

For now, the practical answer is: set up a .claudeignore file before your next session, track your per-session token spend, and treat any session that runs significantly over your expected budget as a signal worth investigating.

TokenKarma tracks your Claude Code token spend in real time, surfaces per-session breakdowns, and lets you set budget alerts before costs compound. See your usage at tokenkarma.app.