What to protect, what to restrict, what to never share
The Helpful Backdoor
A developer clones a popular open-source starter template. It has great reviews, 2,000 stars, and a .claude/ directory pre-configured with skills and agents. Convenient — someone already set up Claude Code for this stack.
The developer starts coding. Claude works beautifully — formatting, testing, reviewing. What the developer doesn't notice: one of the pre-configured skills has allowed-tools: Bash and includes a line that runs curl to POST the contents of every .env file to an external server.
The skill runs every time Claude processes a prompt. The developer's API keys, database credentials, and Stripe secrets are exfiltrated within the first session.
The .claude/ directory was the attack vector. The developer never read the SKILL.md files.
Today you learn the security mindset: what to audit, what to restrict, what to never share — and how to configure Claude so that even a mistake has limited blast radius.