3

I'm trying to understand the scope of file access for an LLM running in agent mode (sandboxing, working directory, file permissions).

Which files can actually be accessed during execution (e.g. only files provided by the user, or more extensive system access)? And how is this scope enforced?

Essentially, I'm wondering what defines and limits an agent's file visibility. And I'm trying to understand, if it should be necessary to run the agent in a container or VM.

Improve this question

1 Answer 1

Reset to default
2

Which files can an LLM agent access, and how are these restrictions enforced?

That depends on the program that calls the LLM. E.g. in Claude Code, Codex and Cursor, by default, the LLM can only access the files in the working folder.

Example with Claude Code via the desktop program on Windows:

enter image description here

enter image description here

There are a few exceptions e.g. %USERPROFILE%\.claude\settings.json

Improve this answer
1
  • 1
    Beware: at least with Claude Code on the command line, once you allow it to run commands, all bets are mostly off as to what files it can access. The system is not good at filtering the AI's proposed commands based on what files they access. It used to fail rather utterly at this; they've gotten better but you still shouldn't trust it. The AI's built-in file editing tools are safe, and will respect the directory restrictions; it's only the command-running tool that's the issue. Commented 4 hours ago

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.