Anthropic's new cloud-scheduled Claude Code feature lets you automate any task that Claude Code can do — run a daily test suite, triage issues, commit dependency updates — and have it run on a schedule, without your machine on, without you present. The task picks up its MCP connectors from your project config, executes with tool access you granted during setup, and delivers results to your inbox.
That last sentence is the one worth reading twice.
Every MCP server that was in scope when you configured the task is in scope every time the task runs. If you added a filesystem server to debug something three months ago, it is still there. If an MCP connector you installed last quarter contained a malicious tool description, that description is being evaluated by a model that has no human watching it and is configured not to prompt for permission.
The HN thread that erupted the day Anthropic announced the feature surfaced the same concern from independent engineers within hours. The problem is not the scheduler — the problem is that the scheduler has no MCP audit gate. Nobody has written one. Here is where to start.
1. Audit Every MCP Connector in Your Project Config
Before you schedule a task, open your MCP config and read every server definition. For each one, ask three questions:
- Is this server still needed? MCP configs accumulate. Servers added for a single debugging session stay in config indefinitely. If you cannot name the reason a server is present, remove it before scheduling.
- What tools does it expose? Use SkillShield to scan the tool descriptions and manifest — not just the package name. Tool description injection attacks embed instructions for the model inside the description field, where they are invisible unless you read the raw JSON.
- Where does it connect? Local-only MCP servers carry different risk than servers that make outbound network calls. Every server that touches an external endpoint is a potential exfiltration vector.
A scheduled task that runs unattended cannot ask you whether a suspicious tool call is okay. The audit happens now or not at all.
2. Verify permission_prompts: No Is an Intentional Choice
Anthropic's scheduled task config exposes a permission_prompts field. The default for unattended runs is No. That means the model will execute tool calls without asking for confirmation — including calls to write files, invoke shell commands, or hit network endpoints.
This is the right default for automation. It is also the setting that makes every unreviewed MCP connector in your stack a live risk. Before you set it, run a full tool audit and confirm every server in scope is one you would approve if a pop-up appeared. Because there will not be a pop-up.
3. Check Inline Secrets in MCP Environment Blocks
Claude Code's MCP config format allows inline env blocks for each server. These blocks are where credentials go — API keys, database connection strings, OAuth tokens. If your .claude/ directory is in a repo, those secrets are in that repo.
Scheduled tasks use the same MCP config your local Claude Code session uses. That means the credentials your automated pipeline needs are stored wherever your project config is stored. Run a secrets scan on your .claude/ directory before scheduling. Look specifically for:
ANTHROPIC_API_KEY,OPENAI_API_KEY, or provider tokens in anyenvblock- Database connection strings or
DATABASE_URLequivalents - Internal service tokens used for CI or deployment access
SkillShield flags these automatically during a skill scan. Run the scan before the scheduler runs your task.
4. Review What the Task Can Write and Where
Claude Code's filesystem MCP tools and shell tools give the model write access during a scheduled run. Before scheduling, answer: what can this task write to, and is any of that shared or production?
If the task has a filesystem MCP server scoped to your home directory and your home directory contains SSH keys, credentials files, or production configs, then those are in scope. Limit server scope to the directories the task actually needs. The principle of least privilege applies to MCP server scope, not just API tokens.
5. Run a Pre-Schedule SkillShield Scan
The five checks above require reading config files, inspecting tool manifests, grepping for secrets, and tracing permission boundaries. SkillShield runs all of them automatically. Point it at your .claude/ directory and your MCP skill stack before enabling any scheduled task:
skillshield scan --mcp-config .claude/settings.json --secrets --tool-descriptionsThe scan surfaces:
- Tool description injections — malicious instructions embedded in tool manifest text
- Hardcoded secrets — API keys and tokens in env blocks and SKILL.md files
- Over-permissioned connectors — servers with write or shell access that the task does not need
- Known malicious packages — cross-referenced against the SkillShield threat database
If you are scheduling Claude Code to run unattended, this scan is the human-in-the-loop you are removing from the permission flow. Run it once. Run it again when your MCP stack changes.
The Larger Pattern
Anthropic's scheduler is not an outlier — it is the first of many. Every major AI coding assistant will offer cloud-scheduled autonomous execution within the next twelve months. The pattern that emerges from the HN thread is consistent: developers understand the capability, they are excited about the productivity gain, and they are anxious about the security gap that opens when there is no human watching tool calls execute.
The gap SkillShield fills is not exotic. It is the same gap that CI/CD security scanning filled when teams moved from manual deploys to automated pipelines: you cannot have a human approve every action, so you run a scan that catches the problems before the pipeline runs. The scanner is the gate.
Your Claude Code scheduled task will run whether you have audited its MCP connectors or not. The audit is the one thing you control before it starts.
Sources: HN: Claude Code scheduled tasks (154pts, 113 comments), Anthropic docs: scheduled tasks, Anatomy of the .claude/ folder.