Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Fishkins 6 hours ago

I agree with most of this, with one important exception: you should have some form of sandboxing in place before running any local AI agent. The easiest way to do that is with .claude/settings.json[0].

This is important no matter how experienced you are, but arguable the most important when you don't know what you're doing.

0: or if you don't want to learn about that, you can use Claude Code Web

post-it 6 hours ago | parent | next [-]

The default sandboxing works fine for me. It asks before running any command, and I can whitelist directories for reading and non-compound commands.

arcanemachiner 4 hours ago | parent [-]

That's not a sandbox.

kseniamorph 3 hours ago | parent [-]

there is a real one though — https://www.anthropic.com/engineering/claude-code-sandboxing. needs to be enabled with /sandbox, not on by default.

Fishkins an hour ago | parent [-]

Right, that's what I was referring to

gawa 5 hours ago | parent | prev | next [-]

The part about permissions with settings.json [0] is laughable. Are we really supposed to list all potential variations of harmful commands? In addition to the `Bash(cat ./.env)`, we would also need to add `Bash(cat .env)`, Bash(tail ./.env)`, Bash(tail .env)`, `Bash(head ./.env)`, `Bash(sed '' ./.env)`, and countless others... while at the same time we allow something like `npm` to run?

I know the deny list is only for automatically denying, and that non-explicitly allowed command will pause, waiting for user input confirmation. But still it reminds me of the rationale the author of the Pi harness [1] gave to explain why there will be no permission feature built-in in Pi (emphasis mine):

> If you look at the security measures in other coding agents, *they're mostly security theater*. As soon as your agent can write code and run code, it's pretty much game over. [...] If you're uncomfortable with full access, run pi inside a container or use a different tool if you need (faux) guardrails.

As you mentioned, this is a big feature of Claude Code Web (or Codex/Antigravity or whatever equivalent of other companies): they handle the sand-boxing.

[0] https://blog.dailydoseofds.com/i/191853914/settingsjson-perm...

[1] https://mariozechner.at/posts/2025-11-30-pi-coding-agent/#to...

Fishkins an hour ago | parent [-]

> The part about permissions with settings.json [0] is laughable

I never said "permissions", I said "sandboxing". You can configure that in settings.json.

https://code.claude.com/docs/en/sandboxing#configure-sandbox...

sroussey 5 hours ago | parent | prev [-]

Do people really run claude and other clis like this outside a container??

Fishkins an hour ago | parent | next [-]

I'm sure most folks run Claude without isolation or sandboxing. It's a terrible idea, but even most professional software developers don't think much about security.

There many decent options (cloud VMs, local VMs, Docker, the built-in sandboxing). My point is just that folks should research and set up at least one of them before running an agent.

kenforthewin 5 hours ago | parent | prev | next [-]

Let's not fool ourselves here. If a security feature adds any amount of friction at all, and there's a simple way to disable it, users will choose to do so.

matheusmoreira 4 hours ago | parent | prev [-]

How did you contain Claude Code? Did you virtualize it? I just set up a simple firejail script for it. Not completely sure if it's enough but it's at least something.

arcanemachiner 4 hours ago | parent | next [-]

The official Claude Code repo is configured use a devcontainer config:

https://github.com/anthropics/claude-code

You can download the devcontainer CLI and use it to start a Docker container with a working Claude Code install, simple firewall, etc. out of the box. (I believe this is how the VSCode extension works: It uses this repo to bootstrap the devcontainer).

Basic instructions:

- Install the devcontainer CLI: `https://github.com/devcontainers/cli#install-script`

- Clone the Claude Code repo: `https://github.com/anthropics/claude-code`

- Navigate to the top-level repo directory and bring up the container: `devcontainer --workspace-folder . up`

- Start Claude in the container: `devcontainer exec --workspace-folder . bash -c "exec claude"`

P.S. It's all just Docker containers under the hood.

stefans 4 hours ago | parent | prev [-]

I‘m using https://www.docker.com/products/docker-sandboxes/

Better isolation than running it in a container.