Claude Code Remote Control: Convenient Feature or Security Nightmare?

Anthropic just shipped Remote Control for Claude Code. It lets you connect to a running Claude Code session from your phone, tablet, or any browser. Your AI coding agent keeps running on your machine while you steer it from anywhere.

Sounds convenient. It is. It's also a significant expansion of the attack surface for anyone using AI coding agents in production.

What Remote Control Actually Does

You run claude remote-control in your terminal. Claude Code starts a local session and registers with Anthropic's API via outbound HTTPS. Then you connect from claude.ai/code or the Claude mobile app. Messages route through Anthropic's servers. Your session stays local, but it's now remotely accessible.

From the official docs: "Your local Claude Code session makes outbound HTTPS requests only and never opens inbound ports on your machine. When you start Remote Control, it registers with the Anthropic API and polls for work."

Key capabilities:

• Full local environment access remotely: filesystem, MCP servers, tools, project config

• Conversation syncs across all connected devices

• Auto-reconnects after laptop sleep or network drops

• Can be enabled for ALL sessions by default via /config

The Security Implications Nobody's Talking About

1. Session Tokens as Attack Surface

Remote Control creates a session URL that grants full access to a running Claude Code instance. That instance has whatever permissions you gave it: file read/write, terminal access, MCP server connections. Anyone with that URL controls your coding agent.

The docs mention "multiple short-lived credentials, each scoped to a single purpose and expiring independently." Good. But the session URL itself is the skeleton key. If it leaks through a screenshot, a Slack paste, a browser history sync, or shoulder surfing a QR code, the attacker gets an authenticated channel to your dev environment.

2. Persistent Remote Access = C2 Potential

Security researchers have already pointed out that this is textbook command-and-control infrastructure:

• Outbound-only HTTPS connections (bypasses most firewalls)

• Persistent session that survives network interruptions

• Full local filesystem and terminal access

• Can be enabled silently via config

• Legitimate traffic to anthropic.com domains (hard to flag as malicious)

If an attacker compromises your Anthropic account, they don't need to SSH into your machine. They connect to your active Remote Control session and execute commands through Claude Code.

3. The 'Enable for All Sessions' Footgun

The docs mention you can enable Remote Control for every session by default. Run /config, flip the toggle, done. Every Claude Code session you start is now remotely accessible through your Anthropic account.

Convenient for developers who work across devices. Also a standing invitation for lateral movement after account compromise.

4. No Sandboxing by Default

Remote Control supports --sandbox and --no-sandbox flags, but sandboxing is off by default. The remote session has the same access as your local terminal: SSH keys, AWS credentials, .env files, everything in your home directory.

Remote access + no sandbox + full filesystem access. That combination is exactly what runtime monitoring was designed for.

What This Means for Teams

If your engineering team uses Claude Code, Remote Control changes the threat model:

• Account compromise escalates. A phished Anthropic login now potentially grants access to every developer's local environment where Remote Control is active.

• Session URLs are credentials. They should never appear in Slack, screenshots, or shared screens.

• Auto-reconnect means sessions persist. A forgotten terminal tab is an open door.

• MCP server access goes remote. Whatever tools and integrations Claude Code can reach locally are now accessible through the remote session.

What You Should Do

• Don't enable Remote Control for all sessions by default. Use it explicitly when needed.

• Always use --sandbox when starting remote sessions.

• Treat session URLs like passwords. Don't share your screen while the URL or QR code is visible.

• Monitor agent activity during remote sessions. Runtime monitoring tools like AgentSteer give visibility into every file access, command execution, and network request, especially important when sessions are remotely controlled.

• Rotate Anthropic credentials immediately if you suspect account compromise. Kill active Remote Control sessions.

• Audit Claude Code permissions. Whatever you've given Claude Code access to is now remotely accessible.

The Bigger Picture

Remote Control is the latest step in a clear trend: AI coding agents are gaining more access, more persistence, and more remote capability. Each feature expands what's possible for developers and attackers alike.

Anthropic has done better than most on security design. TLS everywhere, short-lived credentials, outbound-only connections. But the fundamental question remains: who's watching what your agent does when you're not looking at it?

That's not rhetorical. It's literally why we built AgentSteer.