Key Takeaways
- Add a
# In open source repos, never run npm install or pip install without asking firstrule to CLAUDE.md. - This prevents Claude Code from executing untrusted code, saving tokens and protecting your system.
The Problem: Agentic Tools Treat All Code Equally
You clone a random GitHub repo. You ask Claude Code to "fix the build error." Three seconds later, it runs npm install, downloads 500 packages from the internet, and your terminal is a mess of dependency resolution logs.
This isn't hypothetical. The open source ecosystem is grappling with agentic coding tools that treat all code as trusted. And Claude Code is one of the most aggressive — it will execute shell commands, install dependencies, and modify files without asking.
That's great for your own projects. It's dangerous for open source repos you haven't vetted.
The Fix: One Line in CLAUDE.md
Add this to your global or project-level CLAUDE.md:
# In open source repos, never run npm install, pip install, cargo build, or any package manager command without asking me first.
That's it. Claude Code will stop and ask before running any package manager command. You get a chance to review what it's about to do.
Why This Works
Claude Code respects CLAUDE.md rules as hard constraints. When you say "never run X without asking," it will not execute X autonomously. It will instead present you with the command and wait for approval.
This is different from just saying "be careful with dependencies." Claude Code interprets that as a suggestion, not a rule. The word "never" combined with a specific action creates a hard block.
How to Apply This Right Now
Global CLAUDE.md (recommended for all projects):
claude code --init-globalThen add the rule above.
Per-repo CLAUDE.md (for specific repos):
Create aCLAUDE.mdfile in the repo root with the rule.Prompt override (for one-off operations):
claude code -p "Fix the build but do NOT install any packages"
Beyond Package Managers
You can extend this pattern to other dangerous operations:
# Security rules
- Never run curl, wget, or any network fetch without asking
- Never modify package.json, requirements.txt, or Cargo.toml without asking
- Never run make, cmake, or build scripts without asking
- Never delete files outside the current directory without asking
The Bigger Picture
The open source community is starting to push back against agentic tools that treat all code as trusted. The issue isn't Claude Code — it's that these tools are powerful enough to cause real damage.
A supply chain attack on an npm package could, through an agentic tool, propagate to your production environment. A malicious postinstall script could exfiltrate environment variables. These aren't theoretical.
By adding a simple rule to CLAUDE.md, you turn Claude Code from a potential liability into a tool that respects your security boundaries.
Try It Now
# Create a global CLAUDE.md with security rules
cat >> ~/.claude/claude.md << 'EOF'
# Security rules for all projects
- In open source repos, never run npm install, pip install, or any package manager command without asking me first
- Never run curl, wget, or network commands without asking
- Never modify lockfiles (package-lock.json, yarn.lock, poetry.lock) without asking
EOF
Next time you clone a repo and ask Claude Code to build it, you'll get a prompt before it installs anything. You can review the command, approve it, or reject it.
That's the difference between using a tool and being used by it.
Source: news.google.com
