Reverse engineering Claude Code

https://kirshatrov.com/posts/claude-code-internals

114•gianpaj•8mo ago

Comments

therein•8mo ago

It is an interesting read. I can imagine a future where the "tools" we make available become numerous enough and poorly thought out enough that an AI could actually figure out how to escalate privileges and execute stuff outside the defined security boundaries by combining them.

It isn't hard to think of a simple example in which Claude.md can be written to by the LLM to allow accessing endpoints not whitelisted by the user by smuggling a base64 encoded payload that then gets decoded by a subroutine it wrote to a file without you noticing. Or realizing it can't use the WebFetchTool but it can write a script to do manual DNS resolution and then use bash TCP sockets instead of curl in case it is hardened to not be able to use curl.

lobochrome•8mo ago

I see this behavior all the time. When it can’t read a file using its read tool - it escalates up to try with bash. Often it tries to search the entire file system “find / …”

0x696C6961•8mo ago

I always tell agents to use ripgrep instead of find.

throwaway0665•8mo ago

Cursor has basically run into this exact thing. It figured out it can read .env files by running other tools despite the file being "blocked": https://github.com/getcursor/cursor/issues/2546

rtrgrd•8mo ago

Quite concerning to see the issue still marked as open (since jan!), hopefully it got fixed and it's just that no one marked as closed

swalsh•8mo ago

I ran into this issue, I built my own bash and SSH MCP server. In my first iteration I did not quite trust Claude yet so I limited the commands it was allowed to run in Bash. But I gave it access to Python, so any time it ran into a limitation it ended up using python to work around it. It's exceedingly good at problem solving.

I Eventually learned to trust Claude, and just gave it access to everything. It's crazy how useful having AI do tasks for you like setting up servers, configuring them etc (one exapmple, I asked claude to create a webhook for my deployment pipeline, and it wrote the shell script, and did the server side configuration in 1-shot. I did't have a github tool so I did that manually in the UI)

manwithaplan•8mo ago

XKCD 416: Zealous Autoconfig https://xkcd.com/416/

mattigames•8mo ago

It's missing one last panel where he is under his bed googling for lawyers specialized on kidnapping and CFAA charges

rmonvfer•8mo ago

The source code for a pre-release version got leaked a while ago (they forgot to remove the embedded source map) and if you can find it, it’s definitely worth looking into.

tough•8mo ago

did u manage to find it now?

acheong08•8mo ago

I still have it on my laptop. The repository got DMCAed

tough•8mo ago

I remember, and saw the DMCA'd repo, but I dunno if i ever cloned it locally or not.

i'll have to dig on my disk i guess

pram•8mo ago

An interesting thing about the “agent” (it’s called Task inside Claude Code) is it starts a completely new Claude chat, with its own context etc. I’ve seen a Task go write its own code in multiple files and then your “main” chat ends up confused about what happened.

It also responds to the Task summary like you typed the message sometimes, like “That’s a fascinating analysis!” so kind of quirky.

cloudking•8mo ago

Claude Code seems a lot more stable than Cursor Agent. I've had it run for 15-20 minutes on a single prompt, debugging, testing and fixing bugs. Also haven't seen network timeout or file edit failures.

mudkipdev•8mo ago

11 cents to describe the project in the current directory is ridiculous.

laegooose•8mo ago

ridiculously low?

alexchamberlain•8mo ago

I think it depends on the project. I think most of us could eye ball a blog directory pretty quickly and get more or less the same idea. However, give it a gnarly bit of legacy code in a language you haven't used for a while, and indeed, 11c is pretty cheap.

mudkipdev•8mo ago

Claude code wastes way too many tokens compared to other agents doing the same task

robocat•8mo ago

The other agent is often a human.

A human getting paid 1 cent per second ($36.00 per hour) is 75k/yr (cost to business is ~2x that).

So if Claude manages to save 11 seconds of human time for 11 cents, that would be a good deal.

Tax section 174 makes the employee costs amortised, so spending on Claude as an expense to save employee costs is more valuable than first appearances.

kissgyorgy•8mo ago

Probably that's why it's so good.

varunvs•8mo ago

Claude Code has support for AWS Bedrock. You can use Sonnet models available in AWS Bedrock to run Claude Code locally. This means you can also leverage Bedrock logs to inspect the API calls and the prompts sent.

I was amazed and excited by how good Claude Code is compared to Windsurf/Cursor and wanted to inspect the working. I inspected the logs and got an understanding on its system prompt as well the tools used. It is a great combination of prompt engineering, tool calls, tools orchestration.

weird-eye-issue•8mo ago

You don't need to overcomplicate things

Just set the base url to a local ngrok and it will log the request

This gives the full prompt with all tool calls

With a proxy you can have it forward requests to Anthropic if you want to see it actually working too and not just the initial request (since it will fail without forwarding them)

varunvs•8mo ago

That's a great trick. I do not have a Claude subscription and my current setup is to use with Bedrock backend. Initially I tried with mitmproxy but I think AWS had pinned the TLS certificates causing the requests to fail.

Personalizing esketamine treatment in TRD and TRBD

SpaceKit.xyz – a browser‑native VM for decentralized compute

NotebookLM: The AI that only learns from you

Show HN: An open-source starter kit for developing with Postgres and ClickHouse

Game Boy Advance d-pad capacitor measurements

South Korean crypto firm accidentally sends $44B in bitcoins to users

Apache Poison Fountain

Web.whatsapp.com appears to be having issues syncing and sending messages

Google in Your Terminal

Shannon: Claude Code for Pen Testing: #1 on Github today

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge

Arcan Explained: A browser for different webs

What did we learn from the AI Village in 2025?

An open replacement for the IBM 3174 Establishment Controller

The P in PGP isn't for pain: encrypting emails in the browser

Show HN: Mirror Parliament where users vote on top of politicians and draft laws

Ask HN: Opus 4.6 ignoring instructions, how to use 4.5 in Claude Code instead?

We Mourn Our Craft

Jim Fan calls pixels the ultimate motor controller

Exploring a Modern SMTPE 2110 Broadcast Truck with My Dad

AI UX Playground: Real-world examples of AI interaction design

The Field Guide to Design Futures

The Other Leverage in Software and AI