RyotaK, a security engineer, exposes vulnerabilities in Claude Code that allow for arbitrary command execution without user approval. He identifies eight specific methods to bypass the system’s permission model, which includes both an allowlist for pre-approved commands and a manual approval process. The research highlights flaws in the blocklist mechanism designed to prevent dangerous command arguments, rendering Claude Code vulnerable to misuse. One of the primary issues lies in how the system handles commands like `man` and `sort`. For instance, the `man` command's blocklist fails to account for the `--html` argument, which can execute arbitrary commands. Similarly, the `sort` command allows arguments that can be exploited to run commands via a specified program, such as `sh`. These vulnerabilities allow attackers to execute commands like `touch /tmp/pwned` without needing explicit permission. Other vulnerabilities arise from Git's handling of abbreviated command options, which can bypass security filters. By using a shortened version of an argument, users can execute unauthorized commands. The `sed` command also poses a risk, as its built-in `e` modifier can execute shell commands directly from input. Overall, these findings reveal significant weaknesses in Claude Code’s design, particularly in how it processes command arguments and permissions.