Claude code has some basic security features like asking for user confirmation for bash commands, or restricting commands to the current directory. If these features are not being code reviewed, what assurances do we have that they actually work?

▲

ninininino 3 days ago | parent | next [-]

They don't work. Do not trust them. Run Claude Code in an isolated, disposable micro VM and assume it will break your environment, steal any available secrets, do destructive commands, etc. So don't give it any way to do that to anything you care about.

▲

nurettin 3 days ago | parent | prev [-]

You don't. I learned this from it executing commands while in plan mode. It is LLMs all the way down.

	▲	jmux 3 days ago \| parent [-]
		if you read the thinking context while in plan mode (I had it shown to me, i think mistakenly, by switching modes while Claude was thinking a week or so ago) plan mode is just a pre-prompt saying “you are now in plan mode, don’t propose edits, read the code and understand how it works.” it’s not an actual limitation on the harness.