[Porygon]

I do that, too! I use git for version control outside the docker container, and to prevent claude from executing arbitrary code through commit hooks, I attach the docker volume mount in a nested directory of the repository so claude can not touch .git. Are there any other attack vectors that I should watch out for?

[throw-12-16]

I never mount .git to the agent container, but sometimes I will initialize the container with its own internal .git so the agent can preserve its git operations and maintain a change log outside of its memory context.

[ivankra]

Ohh, good point about git hooks as a container escape vector! I probably should add `-v $PWD/.git:$PWD/.git:ro` for that (bind-mount .git as read-only).