[cedws]

Claude Code’s sandboxing is a complete joke. There should be no ‘off switch.’ Sandboxing should not be opt in. It should not have full read access over the file system by default.

I really want more security people to get involved in the LLM space because everyone seems to have just lost their minds.

If you look at this thing through a security lens it’s horrifying, which was a cause of frustration when Anthropic changed their TOS to ban use of alternative clients with a subscription. I don’t want to use that Swiss cheese.

[simlevesque]

The first thing I recommend everyone using is devcontainers [1]. They're very simple to setup and make using LLMs a lot more secure.

[1] https://code.claude.com/docs/en/devcontainer

[tso]

The Claude sandbox is so antithetical to good security posture it almost seems intentional[0]. Having both "default read to the entire file system" and "the agent can and _will_ disable the sandbox, without even asking the user[1], in order to complete tasks" would not pass muster in a freshman level security course.

[0] assuming a human with security training was involved in the design/prompting of the sandbox development.

[1] Claude has well used mechanisms for asking the user before taking potentionally dangerous actions. Why it is not part of the "disable my own SANDBOX" branches of code is confusing.

[arianvanp]

I opened an issue about this on day 1 of the release:

https://github.com/anthropic-experimental/sandbox-runtime/is...

I ended up making my own sandbox wrapper instead https://GitHub.com/arianvp/landlock-nix