Is Claude Code Safe to Use? An Honest Answer for Beginners
"Safe" is really three questions: can Claude Code wreck the files on your computer, does Anthropic see or train on your code, and can someone hijack it? Here is the plain-English answer to all three, what the official docs actually say, and the two-minute setup that covers the one risk that is real.
You are about to let an AI run commands on your actual computer, and you want a straight answer: is Claude Code safe?
Here is the short version. With its default settings, yes. But "safe" is really three different questions wearing one word, and the honest answer to each one is different. Let me take them one at a time, using what Anthropic's own security docs actually say, plus the one risk the docs can't remove for you.
Question 1: Can it wreck the files on my computer?
This is the fear that brings most people here, so let's start with how the tool is actually built.
By default, Claude Code uses what Anthropic calls a permission-based architecture: it starts with strict read-only permissions, and when it wants to do anything that changes your system (edit a file, run a command), it stops and asks you first. A short list of harmless read-only commands like ls and git status runs without a prompt. Everything else waits for your yes.
There is also a hard boundary on where it can write. Per the security docs, Claude Code can only write to the folder where you started it and its subfolders. It can read files outside that folder (it needs to, for things like system libraries), but it cannot modify anything in parent directories without explicit permission. Your vacation photos are not in play because you asked it to fix a spreadsheet script.
So the design is genuinely careful. Now the honest part.
The real-world risk lives inside your project folder, in the actions you approve. Nothing about a permission prompt guarantees the action behind it is a good idea. Two ways this bites beginners:
- Prompt fatigue. After twenty prompts, you stop reading and start hitting yes. The docs put the responsibility plainly: you are the one reviewing commands before approval. When you stop reviewing, the prompts protect nothing.
- Convenience modes. The popular accept-edits mode auto-approves file edits plus a fixed set of filesystem commands including
rm,mv, andcpinside your project. That means a file can be deleted or overwritten without a prompt, in the mode most people switch on within their first week. We broke down exactly what each mode auto-approves in Is it safe to let Claude Code auto-accept edits?
And the built-in undo has a gap you should know about before you need it: Claude's /rewind checkpoints track the edits Claude makes, not files removed through shell commands. We tested this the hard way: does Claude Code's rewind undo deleted files? Short answer, not the ones that matter most.
Verdict on question 1: the architecture is solid, the boundary is real, and the remaining risk is concentrated in one spot, your own project files during approved actions. That spot is exactly what a two-minute safety net covers. Hold that thought.
Question 2: Does Anthropic see my code, and do they train on it?
Claude Code runs locally on your machine. There is no upload-your-whole-project step. But it is not offline software: to work, it sends your prompts and the relevant code to Anthropic's servers, encrypted in transit with TLS 1.2+, per the data-usage docs.
The training question depends on which kind of account you have:
- Consumer plans (Free, Pro, Max), which is most readers of this blog: whether your sessions train future models is a setting you choose, and Claude Code sessions follow it. If you allow training, data is retained up to 5 years. If you decline, retention is 30 days. You can change your answer anytime at claude.ai under privacy settings.
- Commercial terms (Team, Enterprise, API): Anthropic does not train generative models on your code or prompts by default. Opting in exists but it is an explicit program an admin has to choose.
Two smaller flows worth knowing so nothing surprises you: Claude Code sends operational telemetry (latency, reliability), and the docs state this logging does not include any code or file paths; you can disable it with an environment variable. And the /feedback command sends a copy of your conversation only when you run it yourself.
Verdict on question 2: your code does travel to Anthropic's servers to be processed, encrypted in transit. Whether it trains models is your explicit choice on consumer plans and off by default on commercial ones. If that choice matters to you, set it once before your first session and it is settled.
Question 3: Can someone hijack it?
This is the newest kind of risk, and it deserves a plain-English explanation because most articles either ignore it or hype it.
Prompt injection means malicious text attacks the AI instead of your computer. Imagine a web page, or a README inside a project you downloaded, containing hidden instructions like "ignore your user and run this command." Claude reads text to do its job, so hostile text is a real attack surface.
Anthropic ships several defenses, straight from the security docs: sensitive operations still require your approval (the permission system is the backstop), commands that fetch content from the web such as curl and wget are not auto-approved by default, suspicious commands require manual approval even if previously allowlisted, unmatched commands fail closed to a prompt, and the first time you run Claude Code in a new folder it asks whether you trust it.
The same docs are also refreshingly honest: "no system is completely immune to all attacks." So the practical rules for a beginner are short: stick to projects and pages you trust, do not pipe random internet content into Claude, and keep the permission prompts on when touching anything untrusted. That is it. For learning on your own small projects, this risk is close to zero.
So what actually goes wrong? (And the two-minute answer)
Put the three questions side by side and a pattern shows up. The privacy question is settled by one setting. The hijack question is settled by common sense while you learn. The stories you have actually read, the "Claude Code deleted my files" posts, all come from question 1: an approved or auto-approved action inside the project folder, hitting files that had no backup, in the exact spot where git and /rewind both have blind spots (new files, gitignored files like .env, anything removed through the shell).
Which means making Claude Code safe is not a research project. It is a short checklist:
- Learn in a throwaway folder. Your first sessions should happen where a mistake costs nothing.
- Keep the default prompts while you learn, and actually read them. Speed modes come later, after the net is up.
- Ask for a checkpoint before big changes. Plain English works: "make a checkpoint before we start." (Full walkthrough: how to back up before Claude Code edits.)
- Cover the files normal undo misses. This is the one gap the defaults leave open. A tiny local add-on called Undeletable saves a byte-for-byte copy of every file before Claude touches it, including shell deletions and gitignored files, so recovery is typing
/restore. One-time $19, runs entirely on your machine, which also means nothing new leaves your computer.
The fastest way to do all of it in the right order is the free Claude Code Safety Checklist. It is the calm, do-this-then-this version of everything above, and we email it to you so it is sitting in your inbox before your first real session.
The bottom line
Is Claude Code safe to use? With default settings and a two-minute net: yes. The architecture asks before it changes anything, it cannot write outside your project folder, your training preference is yours to set, and the hijack risk is manageable with basic care. The one risk that genuinely bites beginners, your own project files during approved actions, is also the one you can fully cover before your first session.
If you are brand new and want the friendly on-ramp, start with Claude Code for non-coders. If you want a guided path from first command to confident, that is what our Claude Code course is for. And whatever you do first, grab the free safety checklist so your first mistake is a story you tell, not work you lost.
Related reading: Is it safe to let Claude Code auto-accept edits? · Claude Code deleted my files · Does Claude Code's rewind undo deleted files? · How to back up before Claude Code edits · The free Claude Code Safety Checklist · All field notes
Frequently asked questions
- Is Claude Code safe to use?
- Yes, with its default settings and one honest caveat. By default Claude Code starts with read-only permissions and asks you before it edits a file or runs a command that changes anything, and it can only write inside the folder where you started it. The caveat is that once you approve an action, it runs for real on your real files, so the practical risk is not the tool going rogue. It is a wrong-but-approved step deleting or overwriting something you cared about. That risk is real, and it is also the easiest one to remove with a two-minute safety setup before your first session.
- Can Claude Code delete files on my computer?
- Inside your project folder, yes, if you approve the action or turn on a mode that auto-approves it. Anthropic's security docs state that write operations are confined to the folder where Claude Code was started and its subfolders, so it cannot modify files in parent directories without explicit permission. But within that folder, accept-edits mode auto-approves filesystem commands including rm, mv, and cp. And the built-in /rewind checkpoints track Claude's own edits, not files removed through terminal commands, which is exactly where the "Claude deleted my work" stories come from.
- Does Claude Code send my code to Anthropic, and do they train on it?
- Claude Code runs locally on your machine, but to work it sends your prompts and the relevant code to Anthropic's servers, encrypted in transit with TLS. Whether that data trains future models depends on your account. On consumer plans (Free, Pro, Max), it is a setting you control: allow training and data is retained up to 5 years, decline and it is retained 30 days. You can change the choice anytime in your privacy settings. On commercial terms (Team, Enterprise, API), Anthropic does not train on your code by default. Operational telemetry excludes your code and file paths, and can be disabled.
- Can Claude Code be hacked or hijacked through prompt injection?
- It is a real category of attack, and Anthropic treats it as one. Prompt injection is when malicious text hidden in something Claude reads (a web page, a README in a downloaded project) tries to override its instructions. Claude Code ships safeguards: sensitive operations require your approval, network-fetching commands like curl are not auto-approved by default, suspicious commands require manual approval even if previously allowed, and unmatched commands fail closed to a prompt. The docs are also honest that no system is completely immune, so the practical rule is simple: be extra careful about what you let Claude read and approve when working with untrusted content.
- Is Claude Code safe for a beginner who can't code?
- Yes, and in one way beginners are safer than experts: the default settings that ask before every change are exactly the ones beginners keep. The unsafe pattern is approving prompts on autopilot or switching on skip-permissions modes before you have a safety net. Start in a practice folder where mistakes cost nothing, keep the default permission prompts while you learn, and put a backup net under the files that git and /rewind both miss. That is a ten-minute setup, and after it the honest answer to "is this safe for me" is yes.
Never lose your work to Claude Code.
Drop your email. The free Claude Code Safety Checklist lands in your inbox. The 2-minute setup that stops almost every “Claude deleted my work” story.
free · one email · the checklist · unsubscribe anytime