[markisus]

Claude code has some basic security features like asking for user confirmation for bash commands, or restricting commands to the current directory. If these features are not being code reviewed, what assurances do we have that they actually work?

[ninininino]

They don't work. Do not trust them. Run Claude Code in an isolated, disposable micro VM and assume it will break your environment, steal any available secrets, do destructive commands, etc. So don't give it any way to do that to anything you care about.

[airbreather]

Humans don't really work any better, just fail in different ways. This is why certain workflows and practices have emerged.

We are now in the early days of working through a similar process with AI.

They most definately do work for some use cases, but how they are used is important.

Just because you apply human processes and systems to AI based workflows and don't get historically expected results, this is zero basis to claim the sky is falling with use of AI in coding.

[ninininino]

I didn't claim the sky is falling with the use of AI in coding.

I claimed

> basic security features like asking for user confirmation for bash commands, or restricting commands to the current directory

Do not currently reliably work. Not to the point that anyone concerned with security or reliability/not-having-their-env-fucked-up should trust these safeguards as standalones.

[nurettin]

You don't. I learned this from it executing commands while in plan mode. It is LLMs all the way down.

[jmux]

if you read the thinking context while in plan mode (I had it shown to me, i think mistakenly, by switching modes while Claude was thinking a week or so ago) plan mode is just a pre-prompt saying “you are now in plan mode, don’t propose edits, read the code and understand how it works.”

it’s not an actual limitation on the harness.