╭─────────────────────────────────── xrails ───────────────────────────────────╮
│ xrails scan — /tmp/exfil                                                     │
│ Profiles: claude-code   ·   Attack paths: 1                                  │
│ Findings: 0C 3H 1M 0L                                                        │
│ Grade C (65/100)                                                             │
╰──────────────────────────────────────────────────────────────────────────────╯
╭──────────────────────────────────────────────────────────────────────────────╮
│  HIGH   XR-AP-EXFIL-001  High-confidence secret exfiltration path            │
│ ·  confidence HIGH  ·  runtime active-runtime                                │
│                                                                              │
│ Attack chain                                                                 │
│   ├─▶ Secret-like keys detected in /tmp/exfil/.env                           │
│   ├─▶ Agent can read workspace files without restriction                     │
│   ├─▶ Outbound network egress is available                                   │
│   └─▶ Approval prompts are disabled or bypassed                              │
│                                                                              │
│ Why this matters                                                             │
│ Full exfiltration path: secret-like keys in /tmp/exfil/.env, unrestricted    │
│ file read, network egress available, approvals bypassed.                     │
│                                                                              │
│ Fix                                                                          │
│ Rotate any credentials that may have been exposed.                           │
╰──────────────────────────────────────────────────────────────────────────────╯
╭──────────────────────────────────────────────────────────────────────────────╮
│  HIGH   XR-CLAUDE-001  bypassPermissions mode enabled                        │
│ .claude/settings.json  ·  confidence HIGH  ·  runtime active-runtime         │
│                                                                              │
│ Why this matters                                                             │
│ Claude Code permissions.mode=bypassPermissions disables approval prompts for │
│ nearly every tool action.                                                    │
│                                                                              │
│ Fix                                                                          │
│ Set defaultMode to 'default', 'plan', or 'dontAsk' for workstation use. If   │
│ automation requires bypass, run inside an isolated container or VM with no   │
│ access to production systems, credentials, or sensitive paths. For org-wide  │
│ enforcement, set permissions.disableBypassPermissionsMode = 'disable' in     │
│ managed settings — users cannot override this. Audit existing allow rules    │
│ and remove any that are broader than needed.                                 │
╰──────────────────────────────────────────────────────────────────────────────╯
╭──────────────────────────────────────────────────────────────────────────────╮
│  HIGH   XR-CLAUDE-003  WebFetch allowed without domain scoping               │
│ .claude/settings.json  ·  confidence MEDIUM  ·  runtime active-runtime       │
│                                                                              │
│ Why this matters                                                             │
│ Claude Code allow list contains WebFetch or WebFetch(*) without domain       │
│ scoping.                                                                     │
│                                                                              │
│ Fix                                                                          │
│ Replace WebFetch with domain-scoped rules for each approved endpoint:        │
│ WebFetch(domain:api.github.com), WebFetch(domain:registry.npmjs.org). Add    │
│ deny rules for Bash network tools to prevent bypass: Bash(curl *), Bash(wget │
│ *), Bash(nc *), Bash(ncat *). Denying WebFetch alone is insufficient if Bash │
│ is allowed — curl and wget can still reach any URL.                          │
╰──────────────────────────────────────────────────────────────────────────────╯
╭──────────────────────────────────────────────────────────────────────────────╮
│  MEDIUM   XR-CLAUDE-009  No deny rules for .env or credential files          │
│ .claude/settings.json  ·  confidence MEDIUM  ·  runtime active-runtime       │
│                                                                              │
│ Why this matters                                                             │
│ Claude Code permissions.deny does not cover .env, ~/.aws, or ~/.ssh paths.   │
│                                                                              │
│ Fix                                                                          │
│ Add deny rules for sensitive paths in permissions.deny: Read(./.env*),       │
│ Read(~/.aws/*), Read(~/.ssh/*), Read(~/.netrc). Read(./.env) blocks the Read │
│ tool but not cat .env in Bash. Also add Bash deny rules for cat/less/more on │
│ sensitive files, or enable OS-level sandboxing for full enforcement.         │
╰──────────────────────────────────────────────────────────────────────────────╯

4 findings (0 critical, 3 high, 1 medium, 0 low)   ·   active-runtime: 4
