Profero reports that Claude Desktop launches an AI child process with --allow-dangerously-skip-permissions, maps what that child can and cannot do, and claims an attack needs no shell access. Their post is called “We Added a Detection Rule. We Were Not Expecting This”. Points for click-bait, and the bones are good, although a few conclusions could use calcium and one is fractured.

Here’s my x-ray:

Claim: child cannot run shell. Reality: It can, at load

Their chain rests on Bash being blocked, so the payload only fires when a later session runs it. That is true for the model’s tools, but it’s false for the skill file itself. A skill file in Claude Code has two documented features that act when the skill is invoked. The allowed-tools field pre-authorizes tools so the agent uses them without a prompt, and the docs say plainly that a skill can grant itself broad tool access. A backtick-shell syntax in the file runs commands as preprocessing, before the model ever reads the file. So the skill file does not wait for a later session. It can grant tools and run shell the moment it is invoked. There is an off switch, disableSkillShellExecution, and it is not on by default. See the skills reference.

I’m a big fan of the off switch, especially by default.

Claim: the risk is tied to the flag. Reality: The flag is not in the path.

Loading a skill is not a tool call, so it never reaches a permission prompt. The skill name and description load into the system prompt at startup, and the model picks the skill by matching that description. Turn every prompt back on and the skill still loads as trusted instructions. --allow-dangerously-skip-permissions decides whether tool calls ask first. It does not touch what the model is told to do. The chain works with the flag off.

Claim: monitor for writes and the gap is hours or days. Reality: It can be zero.

Their advice is to watch the skill directory and audit shell configs after long sessions. Useful, yet the timing is confused. The model invokes skills by description, so a widened description triggers itself with no user action, and Claude Code applies skill edits inside the running session without a restart. The write and the execution can land in the same session, same agent.

Claim: add signatures to help. Reality: Signing does not hit the problem.

Their proposed remedy is integrity: signatures and version pinning. That stops a file being changed after it is authored. It does nothing about a file that is hostile when it is authored. Anthropic’s own guidance is the real model in use: use skills only from trusted sources, and audit anything else before use, the same care you would give to installing software. The trust decision is in fact a human looking at the source. There is no runtime check on where the file came from or what authority it should carry. A signed skill from a bad author is bad and signed.

Claim: this is about skills. Reality: It is much wider.

Skills are the clearest case because they sit on disk and reload on their own. The same command line carries --resume, which reloads a prior session’s transcript as trusted history. Tool descriptions from connected servers and fetched web pages reach the model the same way. Anything that enters the instruction channel is trusted, and nothing records where it came from.

Claim: that’s all. Reality: The system guards its own config but not its skills.

The --add-dir case is the plain one: point the agent at a repository to review it and that repository’s skills load on their own, no provenance asked. The same blind spot runs the other way at the config layer. The sandbox refuses writes to settings.json at every scope, so a command cannot rewrite its own policy, yet skills are also policy, since they carry tool grants and a shell primitive, and they get no such guard. The built-in Read, Edit, and Write tools also bypass the sandbox. The protection given to the config file is not given to the file that carries instructions. The sandbox scope is documented here.

The attack does not need the flag, and it does not need shell access in the first session. What it really needs is a file the agent will read and trust, and a way to write one.

This is such a dumb story. The transit system in the Bay Area shut down because a vendor couldn’t do its most basic accounting. It didn’t keep track of its networks and bills.

…outage was caused by an AT&T network circuit that works between BART’s data center and Cubic’s ceasing to work, said Lalit Singh, chief operations officer at Cubic.

“That’s when we figured out that we have multiple accounts with AT&T. On one of the accounts, the payments were not made, and we couldn’t find where the circuits, which are in support of the BART system, were because they were not in our account system,” Singh said.

Critical infrastructure being run like its a hobby.

Medicare pays hospice a flat per diem. The same daily rate whether your team makes one visit or five.

That means the margin in hospice does not come from better care. It comes from two things: enrolling patients who need the least care, and holding service intensity below the per diem. Longer stays of low-acuity patients are the most profitable, which is exactly why the aggregate cap exists, because providers were enrolling people too early and keeping them too long.

For-profit hospices already select less resource-intensive patients than nonprofits. That pattern is documented going back years.

Now read a DOGE-bros “Special” pitch against that. They say they will “root out waste” using AI “efficiencies” to “increase nurse pay.”

One needs to look no further than childcare learning centers in Minnesota or hospice businesses in California to find immense waste at the state level from businesses that benefit from taxpayer dollars.

Targets named. The method to generate margin they are promising investors is delivering less care per reimbursed dollar, then optimizing patient selection toward the cheapest bodies to serve.

They are literally describing undertreatment of dying people and calling it efficiency.

The DOGE-bros believe care is waste.

Notice also how they move to “open source all billing claims”. They mean the claims that show what they collected from Medicare. They do not want to show who was enrolled, whether those patients were actually terminal, what care was withheld, or how anyone died. Publishing the money is not accountability for the care. It displays the one number they want celebrated, while they make “proprietary” every number that would convict them.