Inside Claude Code: How Anthropic’s Leaked Source Reveals Deep System Access and Hidden Risks

Recent interest in the leaked 510,000‑line Claude Code source has sparked debate over its capabilities and potential threats. Although Claude Code does not possess root‑kit level kernel access, analysis of the code reveals mechanisms that allow the program to control virtually any device on which it runs, retain large amounts of user data, and operate stealthily in secure environments.

Key Findings from the Source Code

Remote access features discovered by security firm Adversa, including the ability to invoke network requests via curl and other tools, which could be abused if the AI model has elevated permissions.

Configuration files such as ~/.claude/settings.json can enforce deny rules (e.g., { "deny": ["Bash(curl:*)"] }) to block risky commands.

Multiple conditions are recommended for government deployments, such as using Amazon Bedrock GovCloud or Google AI for Public Sector, firewalling data‑collection endpoints, and disabling the undocumented autoDream background agent.

Telemetry, Data Retention, and Privacy

Claude Code collects extensive telemetry, sending data to services like Statsig, GrowthBook, and Sentry. Even when Sentry is claimed to be disabled, the code still captures identifiers, session IDs, and system details. Uploaded files include every file the model reads, stored locally as JSONL and potentially sent to Anthropic’s servers. Data retention policies differ by plan: free and professional users retain data for five years if opted‑in, otherwise 30 days; commercial users default to 30‑day retention with an option to delete all data.

Hidden and Undocumented Features

"Melon Mode" – an internal headless‑agent flag ( --melon) not present in the public build.

"Buddy" pet system with ASCII companions, encoded via hexadecimal strings to evade detection.

Various unpublished modules such as kairos (push notifications and PR monitoring), ultraplan (remote Opus sessions), coordination mode (multi‑agent group), and cron‑based agent triggers.

Potential Attack Surfaces

KAIROS daemon that silently runs background tasks, disables UI elements, and can execute long‑running Bash commands without notification.

CHICAGO service that grants Claude the ability to control mouse, keyboard, clipboard, and screenshots.

Persistent telemetry that logs every tool invocation, Bash command, and file read/write, storing them in local MEMORY.md and later injecting them into system prompts.

Remote skill loading and experimental skill search features that could allow arbitrary code execution if enabled for non‑staff accounts.

Anthropic’s Official Stance

Anthropic asserts that Claude Code complies with SOC 2 standards, disables all non‑provider traffic when using third‑party inference services, and offers a one‑click switch to enforce these restrictions. However, the source shows numerous backdoors and configurable settings that can be overridden by Anthropic or its government customers.

Conclusion

The leaked Claude Code repository demonstrates a sophisticated, highly permissive AI client capable of extensive data collection, remote control, and hidden functionality. Organizations deploying Claude Code, especially in sensitive or government contexts, must enforce strict network isolation, disable telemetry, and audit configuration settings to mitigate the identified risks.