Security model for Claude Code cloud routines, controlling which external services a running routine can call.
Tiers
| Tier | Scope | Risk | Default? |
|---|---|---|---|
| — | — | — | — |
| Trusted | Anthropic-vetted domain allowlist (Google, GitHub, Anthropic services) | Low | Yes |
| Full | Any outbound URL | Higher (prompt injection risk) | No |
| Custom | User-specified domain list | Configurable | No |
Key points
- Default is Trusted — sufficient for GitHub repo operations, Google services, and Anthropic APIs [010]
- Full network access required for third-party services not on Anthropic’s allowlist (e.g., Alpaca Markets, Perplexity API) [010]
- Full mode increases prompt injection risk: a malicious web response could instruct the agent to take unintended actions [010]
- Custom tier lets teams specify an exact allowlist — best practice for production routines with defined external dependencies [010]
Related concepts
- Claude Code Cloud Routines — the execution context this model applies to
- Agent Orchestration — network access tiers are a safety layer within the broader orchestration model
Source references
- [010] Nate Herk — Cloud agents & model releases cluster (2026-04-14 to 2026-04-17)