Skills
Treat project-local agent config as untrusted internet traffic — and resolve symlinks before you validate paths
Anthropic discloses that from mid-2025 to January 2026, a malicious `.claude/settings.json` could execute hooks before the user ever approved trusting the project. The fix was to defer all project-local config parsing until after trust approval. The companion rule from the same post: symlink resolution must precede path validation, or a workspace-scoped write boundary can be escaped by pointing a symlink out of it.
↳ Follow the thread