There’s a growing pattern in modern AI developer tools: impressive capabilities wrapped in security models that look robust—but are, in reality, built on ad-hoc logic and optimistic assumptions.
Related video:
Claude Code is a great case study of this.
At first glance, it checks all the boxes:
- Sandboxing
- Deny lists
- User-configurable restrictions
But once you look closer, the model starts to feel less like a hardened security system… and more like a collection of vibecoded guardrails—rules that work most of the time, until they don’t.
The Illusion of Safety
The idea behind Claude Code’s security is simple: prevent dangerous actions (like destructive shell commands) through deny rules and sandboxing.
But this approach has a fundamental weakness: it relies heavily on how the system is used, not just on what is allowed.
In practice, this leads to fragile assumptions such as:
- “Users won’t chain too many commands”
- “Dangerous patterns will be caught early”
- “Performance optimizations won’t affect enforcement”
These assumptions are not guarantees. They are hopes.
And security built on hope is not security.
Vibecoded Guardrails
“Vibecoded” guardrails are what you get when protections are implemented as:
- Heuristics instead of invariants
- Conditional checks instead of enforced boundaries
- Best-effort filters instead of hard constraints
They emerge naturally when teams prioritize:
- Speed of development
- Lower compute costs
- Smooth UX
But the tradeoff is subtle and dangerous: security becomes probabilistic.
Instead of “this action is impossible,” you get:
“this action is unlikely… under normal usage.”
That’s not a guarantee an attacker respects.
Trusting the User (Even When They’re Tired)
One of the most overlooked aspects of tool security is the human factor.
Claude Code’s model implicitly assumes:
- The user is paying attention
- The user understands the risks
- The user won’t accidentally bypass safeguards
But real-world developers:
- Work late
- Copy-paste commands
- Chain multiple operations
- Automate repetitive tasks
In other words, they behave in ways that systematically stress and bypass fragile guardrails.
A secure system should protect users especially when they are tired, not depend on them being careful.
When Performance Breaks Security
A recurring theme in modern AI tooling is the cost of security.
Every validation, every rule check, every sandbox boundary:
- Consumes compute
- Adds latency
- Impacts UX
So what happens?
Optimizations are introduced:
- “Stop checking after N operations”
- “Skip deeper validation for performance”
- “Assume earlier checks are sufficient”
These shortcuts are understandable—but they create gaps.
And attackers (or even just unlucky workflows) will find those gaps.
The Bigger Pattern in AI Tools
This isn’t just about Claude Code. It reflects a broader industry trend:
1. Security as a UX Layer
Instead of being enforced at a system level, protections are implemented as user-facing features.
2. Optimistic Threat Models
Systems are designed for “normal usage,” not adversarial scenarios.
3. Cost-Driven Tradeoffs
Security is quietly weakened to reduce token usage, latency, or infrastructure cost.
So What Should We Expect Instead?
If AI coding agents are going to run code on our machines, security needs to move from vibes to guarantees.
That means:
- Deterministic enforcement (rules that cannot be bypassed)
- Strong isolation (real sandboxing, not conditional checks)
- Adversarial thinking (assume misuse, not ideal usage)
Anything less is not a security model—it’s a best-effort filter.
Final Thoughts
Claude Code highlights an uncomfortable truth:
Many AI tools today are secured just enough to feel safe—but not enough to actually be safe under pressure.
As developers, we should treat these tools accordingly:
- Don’t blindly trust guardrails
- Assume edge cases exist
- Be cautious with automation and chaining
Because when security depends on “this probably won’t happen”…
it eventually will.
Further Reading
- https://code.claude.com/docs/en/sandboxing
- https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox
If you’re building or using AI agents, it’s worth asking a simple question:
Are the guardrails real… or just vibes?
ivanmosquera.net 