Leaked Anthropic code shows Claude Code can access, store, and transmit vast amounts of user data and system information, raising privacy concerns.
The Register has obtained and analyzed leaked source code for Anthropic's Claude Code, revealing the AI coding assistant has far more system access and data collection capabilities than most users likely realize.
The code analysis shows Claude Code can exercise extensive control over any device where it's installed, from persistent telemetry and remote management to background agents that can read session transcripts and potentially execute remote code.
What Claude Code can do
For users not operating in classified environments with strict network controls, Anthropic maintains significant access to user data and systems:
Persistent telemetry and analytics - When launched, Claude Code phones home with user ID, session ID, app version, platform details, terminal type, organization UUID, account UUID, email address, and active feature flags. This data gets saved locally if the network is down.
Remote managed settings - Enterprise customers receive policy settings objects from Anthropic's servers that can override other configuration items, set environment variables, and take effect immediately via hot reload. Users only get notified of "dangerous" changes, but that definition comes from Anthropic's code.
Auto-updater - The system runs on every launch, pulling configuration from Statsig/GrowthBook. Anthropic can disable specific versions by choice.
Error reporting - Unhandled exceptions capture the current working directory, potentially exposing project names and paths, along with user identifiers and platform information.
autoDream background agent - This unreleased feature spawns a background subagent that searches through all JSONL session transcripts to consolidate memories. Whatever it writes to MEMORY.md gets injected into future system prompts and sent to the API.
Team Memory Sync - A bidirectional sync service connects local memory files to Anthropic's servers, allowing memory sharing across team members. It includes a secret scanner for known token patterns but could expose other sensitive data.
Experimental Skill Search - Available only to Anthropic employees, this feature can download skill definitions from remote servers, track usage, and execute remotely-downloaded skills. If enabled for regular users, it could theoretically allow remote code execution through prompt injections.
Data retention practices
Every file Claude Code reads gets saved and uploaded to Anthropic. The system captures every read tool call, every Bash command, every search result, and every edit, storing this information locally in plaintext JSONL files.
For Free/Pro/Max customers, Anthropic retains this data for either five years (if users opt in to model training) or 30 days (if not). Commercial users get 30-day retention with an option for zero-data retention.
Classified environment protections
The analysis identified several ways government agencies could limit Claude Code's remote communication:
- Ensure inference flows through Amazon Bedrock GovCloud or Google AI for Public Sector
- Block data gathering endpoints with firewalls
- Prevent system prompt fingerprinting
- Disable automatic updates via version pinning
- Disable autoDream feature
- Use flags like CLAUDE_CODE_DISABLE_AUTO_MEMORY=1 or CLAUDE_CODE_SIMPLE for bare mode
- Reroute API calls through private endpoints
The undercover operation
Perhaps most curiously, the source code contains instructions for Claude Code to hide its AI authorship when contributing to public code repositories. A file called undercover.ts contains prompts stating "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository" and instructs the AI not to reveal Anthropic-internal information in commit messages or pull requests.
This appears to be a response to open source projects that have banned AI-generated contributions.
The mystery of Melon Mode
The current source lacks a feature called "Melon Mode" that appeared in earlier reverse-engineered versions. This was behind an Anthropic employee feature flag and only ran internally. The code comment "Enable melon mode for ants if --melon is passed" suggests it might have been a headless agent mode, though Anthropic declined to comment on its purpose.
Privacy implications
The revelations about Claude Code's capabilities raise significant privacy concerns, particularly given how similar they are to the controversial Microsoft Recall feature that captured user activity. Unlike Recall, however, Claude Code's data collection is tied to an internet-connected service that can transmit information back to Anthropic.
For users who value privacy or work with sensitive code, the extensive system access and data retention practices may be concerning, especially since many of these capabilities operate silently in the background without clear user notification or easy opt-out mechanisms.
Comments
Please log in or register to join the discussion