Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
joegibbs 2 hours ago

Claude Code has added too much of this and it's got me using --dangerously-skip-permissions all the time. Previously it was fine but now it needs to get permission each time to perform finds, do anything if the path contains a \ (which any folder with a space in it does on Windows), do compound git commands (even if they're just read-only). Sometimes it asks for permission to read folders WITHIN the working directory.

malfist 4 minutes ago | parent | next [-]

Find can be dangerous it has an exec flag

andoando 2 hours ago | parent | prev | next [-]

Yeah I don't know why they didn't figure to have something in between. I find it completely unusable without the flag.

Even a --permit-reads would help a lot

nmilo 2 hours ago | parent | prev | next [-]

Claude is secretly conditioning everyone to use —-dangerously-skip-permissions so it can flip a switch one day and start a botnet

maxbond an hour ago | parent [-]

My friends and I were talking about the recent supply chain attack which harmlessly installed OpenClaw. We came to the conclusion that this was a warning (from a human) that an agent could easily do the same. Given how soft security is in general, AI "escaping containment" feels inevitable. (The strong form of that hypothesis where it subjugates or eliminates us isn't inevitable, I honestly have no idea, just the weak form where we fail to erect boundaries it cannot bypass. We've basically already failed.)

connorbrinton an hour ago | parent | prev | next [-]

I've found Claude Code's built-in sandbox to strike a good balance between safety and autonomy on macOS. I think it's available on Windows via WSL2 (if you're looking for a middle ground between approving everything manually and --dangerously-skip-permissions)

itzworm 10 minutes ago | parent [-]

Still waiting for progress from the team trying to get WSL approved for use at our org. We get a "still working through the red tape" update every couple months.

od0 2 hours ago | parent | prev | next [-]

Working on something that addresses this and allows you to create reusable sets of permissions for Claude Code (so you can run without --dangerously-skip-permissions and have pre-approved access patterns granted automatically) https://github.com/empathic/clash

winterqt 2 hours ago | parent | prev | next [-]

In my limited time using it, I’ve never seen it ask for permission to read files from within the working directory, what cases have you run into where it does? Was it trying to run a read-only shell command or something?

makeramen 2 hours ago | parent | next [-]

It will sometimes do this for gitignored files to avoid reading secret tokens in env files for example. But for certain languages that rely on code generation this can be a pain.

acid__ 2 hours ago | parent | prev [-]

It seems to be particularly bad in Windows/WSL

chrysoprace 2 hours ago | parent | prev | next [-]

To be fair, read-only commands can still read sensitive files and keys, and exfiltrate them via prompt injection.

raw_anon_1111 24 minutes ago | parent | next [-]

Not if you don’t have keys on your computer.

In my case, all of my keys are in AWS Secrets Manager. The temporary AWS access keys that are in environment variables in the Claude terminal session are linked to a role without access to Secrets Manager. My other terminal session has temporary keys to a dev account that has Admin access

The AWS CLI and SDK automatically know to look in those environment variables for credentials.

hamburglar 2 hours ago | parent | prev [-]

And “find” can easily execute arbitrary subcommands, which may not be readonly.

d_meeze 2 hours ago | parent | prev [-]

Maybe if compound commands trigger user approval, don’t do compound commands <facepalm/>