Sandboxing agentic coding tools is a networking problem Allowlisting commands on a trusted host for an agentic coding tool can be somewhat fraught. Taking inspiration from Simon Willison: Sandboxes help us reason about their relation to the lethal trifecta: What untrusted content is the sandbox exposed to? How can they externally communicate? What sensitive data are we providing to the sandbox? Anthropic provides several sandboxing tools specific to Claude Code: Cursor also has a similar sandboxing feature for Mac users that uses sandbox-exec under the hood for the Cursor IDE. OpenAI鈥檚 Codex CLI also supports a sandbox argument that uses sandbox-exec. We鈥檙e super excited to see all the new tools to limit what access these agentic coding tools have to our host! You could also write your own sandbox using gVisor or Firecracker VMs! The themes around network isolation and proxies should transfer. What is the worst a sandbox can do? Although the specifics of the sandbox technology affect the level of isolation, a sufficiently sandboxed Claude Code can make a sandboxed Claude Code look like a separate host. What network access am I allowing Claude Code to have? What actions can Claude Code perform with this network access and the data it has? For example, almost all Claude Code instances have access to Anthropic API keys to be able to interact with the Anthropic API. Claude Code has access to all environment variables present in your terminal session (which are propagated to the Claude Code sandbox), and Claude Code has access to read the files from the directory where you run claude. Unfortunately, a lot of software requires secrets. For example, development on third-party integrations requires using secrets. This makes having separate development, staging, and production integration credentials especially valuable, but even development integration credentials are not designed to be publicly accessible: otherwise, they wouldn鈥檛 be credentials! What data am I providing t...
First seen: 2026-01-14 01:07
Last seen: 2026-01-19 09:30