Alibaba Flags Anthropic’s Claude Code as High-Risk Software
Alibaba has classified Anthropic’s Claude Code as high-risk software, citing security concerns over the tool’s ability to execute terminal commands and modify files autonomously. This designation reflects the growing tension between the productivity gains of agentic AI and the strict security protocols required by global enterprise environments.
Why is Claude Code classified as high-risk?
The primary driver for Alibaba’s classification is the “agentic” nature of Claude Code. Unlike standard AI assistants that provide code snippets for a human to copy and paste, Claude Code is a command-line interface (CLI) tool. It can read files, write code, execute shell commands, and navigate a local file system to complete complex engineering tasks.

According to internal security assessments, this level of access creates several critical vulnerabilities:
- Unauthorized Command Execution: Because the tool can run shell commands, a “prompt injection” attack could potentially trick the AI into executing malicious code on a developer’s machine.
- Data Exfiltration: The ability to read wide swaths of a codebase increases the risk of sensitive proprietary data being sent to external servers during the reasoning process.
- System Instability: Autonomous file modification can lead to accidental deletion of critical configuration files or the introduction of breaking changes without human oversight.
How does Claude Code differ from GitHub Copilot or Cursor?
The risk profile of Claude Code differs significantly from traditional AI coding assistants. Most developers use tools like GitHub Copilot or Cursor as “autocomplete” or “chat” interfaces. These tools generally suggest code within an Integrated Development Environment (IDE), requiring the developer to manually accept and commit the changes.

Claude Code shifts the paradigm from suggestion to execution. While a tool like Copilot suggests a function, Claude Code can create the file, run the tests to see if the function works, and then fix the bugs it finds in the logs. For a company like Alibaba, which manages massive, interconnected legacy systems, this autonomy introduces a level of unpredictability that standard IDE plugins do not.
What are the implications for enterprise AI adoption?
Alibaba’s move underscores a widening “Agentic Gap” in corporate IT. While startups and individual developers prioritize velocity, large enterprises prioritize the software supply chain’s integrity. This conflict mirrors earlier corporate reactions to Generative AI, such as when Samsung and Apple restricted the use of ChatGPT due to data leakage concerns.
The classification of agentic tools as high-risk suggests that future AI adoption in the enterprise will likely require “sandboxing.” This means AI agents will operate in isolated virtual environments where they cannot touch the primary production codebase or the host operating system without an explicit, human-verified “gate.”
Frequently Asked Questions
What is Claude Code?
Claude Code is a CLI agent developed by Anthropic that allows developers to interact with their codebase via a terminal, enabling the AI to perform tasks like bug fixing and refactoring autonomously.

Is Claude Code banned at Alibaba?
The tool is classified as “high-risk,” which typically means its use is either prohibited or requires strict, high-level security approvals and monitoring, rather than being available for general employee use.
Can prompt injection actually control a CLI agent?
Yes. In a scenario known as “Indirect Prompt Injection,” an AI agent reading a file containing malicious instructions (hidden in a comment or README) could be tricked into executing those instructions on the user’s system.
Summary of AI Coding Tool Risk Levels
| Tool Type | Primary Action | Risk Level | Main Security Concern |
|---|---|---|---|
| Chatbot (ChatGPT/Claude.ai) | Text Generation | Low/Medium | Data Leakage |
| IDE Plugin (Copilot/Cursor) | Code Suggestion | Medium | Code Quality/Copyright |
| CLI Agent (Claude Code) | System Execution | High | Remote Code Execution (RCE) |