[reader_1000]

For some reason, this made everything worse for me. Now claude constantly tries to access my home folder instead of current directory. Obviously this is not still good enough. Also Claude keeps dismissing my instructions on not to read my home directory and use current directory. Weird.

[cyanydeez]

The problem with all these LLM instructed security features is the `codeword` poison probability.

The way LLMs process instructions isn't intelligence as we humans know it, but as the probability that an instruction will lead to an output.

When you don't mention $HOME in the context, the probability that it will do anything with $HOME remains low. However, if you mention it in the context, the probability suddenly increases.

No amount of additional context will have the same probability of never having poisoned the context by mentioning it. Mentioning $HOME brings in a complete change in probabilities.

These coding harnesses aren't enough to secure a safe operating environment because they inject poison context that _NO_ amount of textual context can rewire.

You just lost the game.

[sodic]

I have the same problem. If my sandbox includes `denyRead: ["~"]`, claude consistently tries to do things inside my home directory. For example, every time I start claude I tell it to "run pwd".

And every time it says this:

    Bash(pwd)  
      ⎿  /home/<username>  
      ⎿  Shell cwd was reset to /home/<username>/Projects/<current-working-dir>

This breaks a bunch of features in inconsistent ways (e.g., `git status` sometimes works and sometimes doesn't).

There are issues reporting this problem to Anthropic but they are all closed with no helpful comments:

https://github.com/anthropics/claude-code/issues/11067

https://github.com/anthropics/claude-code/issues/17053

https://github.com/anthropics/claude-code/issues/27255