Running Claude Code dangerously (safely)

https://blog.emilburzo.com/2026/01/running-claude-code-dangerously-safely/

62•emilburzo•1h ago

Comments

ompogUe•6d ago

Keeping in mind with Vagrant: if you are using a synced_folder in your host as a source folder in the VM, those files in the synced_folder will be modified on the host.

emilburzo•6d ago

Good point. For me, that was intentional, since all my projects are in git I don't care if it messes something up. Then you get the benefit of being able to use your regular git tooling/flows/whatever, without having to add credentials to the VM.

But if you need something more strict, 'config.vm.synced_folder' also supports 'type rsync', which will copy the source folder at startup to the VM, but then it's on you to sync it back or whatever.

ompogUe•5d ago

I like this workflow a lot, actually. Docker is great and all, but depending on the project, Vagrant helps "keep it simple".

Thanks

gregoriol•55m ago

If the folder is versioned and commited regularly there is no problem. It also allows you to open the files in your IDE, do some other tasks or fixes for claude. It prevents claude from accessing any other folder, which is the idea of the post.

gcr•35m ago

I’ve seen Claude rm .git in rare occasions to “fix rebase hiccups”

Version control ain’t a match for a good backup

gregoriol•8m ago

So? if it removes .git, just clone the project again and you are ok

tobyhinloopen•59m ago

How about running Claude as a different user with very limited permissions?

gregoriol•57m ago

This breaks the non-interactive mode the post want to achieve. Claude will not be able to install some things and will require user action, which is not desired here.

progval•48m ago

Like what? It can already use npm/pip/etc. And if it needs a new APT package or config in /etc/ then you would want to know because you need to document it.

gregoriol•4m ago

If you make claude work with c/c++, it may need apt for libraries or build tools.

Even with npm/pip, these may not be available on a base linux box.

Even then, some complex projects may need other tools that are not part of a base system (command line tools, redis, ...).

delaminator•55m ago

I run it with sudo enabled - true story

just give it its own machine and let it check out any code

I PXE boot it from a known image when I feel the need

tobyhinloopen•46m ago

Running it remotely on a VM seems like a very sensible option. Just don't give it permission to nuke the remote repository hah (EG don't allow force-push, use protected branches, only allow write access to branches it created)

emilburzo•49m ago

I tried this approach for a while, but I really wanted it to be able to do anything (install system packages, build/run Docker containers, the works).

With these powers there's a lot less back-and-forth with me running commands, copying the output, pasting it to Claude, etc.

I'm sure you've had the case where you had to instruct someone to do something (e.g. playing tech support with family, helping another engineer, etc). While it helps the other person learn, it feels soooo slow vs just doing it yourself :) And since I don't have to teach the agent, I think this approach makes sense.

skybrian•58m ago

I'm doing this with a remote VM on exe.dev and it's quite nice. Well, actually with their own coding agent but they have Claude Code preinstalled too.

Syncthing works well for getting a local copy of a directory from the VM.

letmetweakit•57m ago

I run Claude in a Proxmox VM, generally the experience has been great. In my experience it also behaves better than gemini cli, that likes to create files all over the place if set loose (lesson learned to add that requirement to the relevant .md files)

vidarh•55m ago

Something that contains Claude even more in this respect is if you explicitly gives it a directory that you tell it is entirely under its control, and tells it to write md files and other intermediate work products there (and this seems to work better than telling it where it isn't allowed to leave things).

emilburzo•53m ago

This was also the direction I was initially headed, but then I realized I wanted one-VM-per-project so it can really do anything it wants on the complete VM. So the blast-from-the-past-Vagrant won because of the Vagrantfile + `vagrant up` easiness.

letmetweakit•48m ago

I use Proxmox snapshots to get back to a clean state. I’ll take a look at Vagrant too though.

scalemaxx•53m ago

In installed Gemini as an extension in VS Code and it kept wanting to index all my files. Still trying to figure out what it was doing outside of the VS Code folder I had set it to work on.

loloquwowndueo•54m ago

Shellbox.dev and sprites.dev were discussed recently on hacker news, they give you a sandbox machine where it’s likely safe to run coding agents in dangerous mode. Filesystem checkpoint and restore make it easy to recover from even catastrophic mistakes.

gcr•36m ago

What about API calls? What about GitHub trusted CI deploys?

One frustrating thing about these solutions is that they’re great to prevent Claude from breaking a machine, but there’s no pervasive sandbox for third party services

clbrmbr•49m ago

I have been running two or three Claude’s bare metal with dangerously skip permissions all day every day for two months now. It’s absolutely liberating.

Gazoche•38m ago

Until it decides to delete your home directory:https://old.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cl...

esperent•21m ago

You can use the /hookify plugin to add hooks for preventing dangerous commands like this.

pixl97•21m ago

You're not running it on a filesystem that takes snapshots and is easily reversible?

coldtea•18m ago

All 1 of them?

sixhobbits•27m ago

same, it's made a couple of damaging mistakes but so far it has a better track record than me in terms of fat-fingering `rm` commands or what have you

coldtea•17m ago

And that's as a dev. Then we expect uses to know better than e.g. to trust links to .sh style installers some FOSS suggests...

croes•9m ago

I have been driving without seat belt for two month now. It’s absolutely liberating.

crabmusket•42m ago

What is the consensus on Claude Code's built-in sandboxing?

https://code.claude.com/docs/en/sandboxing#sandboxing

> Claude Code includes an intentional escape hatch mechanism that allows commands to run outside the sandbox when necessary. When a command fails due to sandbox restrictions (such as network connectivity issues or incompatible tools), Claude is prompted to analyze the failure and may retry the command with the dangerouslyDisableSandbox parameter.

The ability for the agent itself to decide to disable the sandbox seems like a flaw. But do I understand correctly that this would cause a pause to ask for the user's approval?

shakna•34m ago

Afraid that it regularly bypasses requests for confirmation...

[0] https://github.com/anthropics/claude-code/issues/14268

[1] https://github.com/anthropics/claude-code/issues/13583

[2] https://github.com/anthropics/claude-code/issues/10089

prodigycorp•7m ago

It's trivially easy to get Claude Code to go out of its sandbox using prompting alone.

Side note: I wish Anthropic would open source claude code. filing an issue is like tossing toilet paper into the wind.

tradziej•42m ago

https://github.com/mensfeld/code-on-incus - check out this project

firasd•42m ago

I noticed something in Claude across all product surfaces

There's a bug in that it can't output smart quotes “like this”

Sonnet, Opus et al think they output it but something in the pipeline is rewriting it

https://github.com/firasd/vibesbench/blob/main/docs/2026/A/t...

Try it in Claude Code and you'll see what I mean! Very weird

samlinnfer•41m ago

Here is what I do: run a container in a folder that has my entire dev environment installed. No VMs needed.

The only access the container has are the folders that are bind mounted from the host’s filesystem. The container gets network access from a transparent proxy.

https://github.com/dogestreet/dev-container

Much more usable than setting up a VM and you can share the same desktop environment as the host.

sampullman•14m ago

I did this for a while, it's pretty good but I occasionally came across dependencies that were difficult to install in containers, and other minor inconveniences.

I ended up getting a mini-PC solely dedicated toward running agents in dangerous mode, it's refreshing to not have to think too much about sandboxing.

phrotoma•6m ago

This works great for naked code, but it kinda becomes a PITA if you want to develop a containerized application. As soon as you ask your agent to start hacking on a dockerfile or some compose files you start needing a bunch of cockeyed hacks to do containers-in-containers. I found it to be much less complicated to just stuff the agent in a full fledged VM with nerdctl and let it rip.

denysvitali•37m ago

Here's what I do (shameless plug): https://blog.denv.it/posts/im-happy-engineer-now/

This allows you to use Claude Code from your mobile device, in a safe environment (restricted Kubernetes pod)

jeffrallen•27m ago

Here's what I do (shameless plug, not an employee, just a satisfied user): https://exe.dev

denysvitali•11m ago

Yes, this approach also looked nice! Maybe you can pair both (happy + exe.dev) for best results

riadsila•33m ago

Koyeb has great resources about running Claude Code in sandboxes: https://www.koyeb.com/tutorials/use-claude-agent-sdk-with-ko...

athrowaway3z•31m ago

`useradd claude`

RobinL•25m ago

Does anyone have direct experience with Claude making damaging mistakes in dangerously skip permissions mode? It'd be great to have a sense of what the real world risk is.

azuanrb•20m ago

One recent example. For some reason, recently Claude prefer to write scripts in root /tmp folder. I don't like this behavior at all. It's nothing destructive, but it should be out of scope by default. I notice they keep adding more safeguards which is great, eg asking for permissions, but it seems to be case by case.

coldtea•19m ago

At least one guy had their ~ rm -rf'ed.

https://old.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cl...

MattGaiser•16m ago

Claude has twice now thought that deleting the database is the right thing to do. It didn't matter as it was local and one created with fixtures in the Docker container (in anticipation of such a scenario), but it was an inappropriate way of handling Django migration issues.

ra120271•15m ago

When approving actions "for this project" I actively monitor .claude\settings.local.json

"Bash(az resource:)",

is much more permissive than

"Bash(az resource show:

)",

It mostly gets it right but I instantly fix the file with the "readonly" version when it gets it too open.

prodigycorp•4m ago

Claude is very happy to wipe remote dbs, particularly if you're using something like supabase's mcp server. Sometimes it goes down rabbitholes and tries to clean itself up with `rm -rf`.

There is definitely a real world risk. You should browse the ai coding subreddits, the regularity of `rm -rf` disasters is, sadly, a great source of entertainment for me.

frankc•23m ago

I think this makes sense but I wonder if firecracker would work better than vagrant for this? I haven't used it before, though. I guess it might if you are trying to run gas town level orchestration.

raesene9•2m ago

Firecracker can solve the kind of problems where you want more isolation than Docker provides, and it's pretty performant.

There's not a tonne of tooling for that use case now, although it's not too hard to put together I vibe-coded something that works for my use case fairly quickly (CC + Opus 4.5 seemed to understand what's needed)

mavam•7m ago

For deploying Claude Code as agent, Cloudflare is also an interesting option.

I needed a way to run Claude marketplace agents via Discord. Problem: agents can execute code, hit APIs, touch the filesystem—the dangerous stuff. Can't do that in a Worker's 30s timeout.

Solution: Worker handles Discord protocol (signature verification, deferred response) and queues the task. Cloudflare Sandbox picks it up with a 15min timeout and runs claude --agent plugin:agent in an isolated container. Discord threads store history, so everything stays stateless. Hono for routing.

This was surprisingly little glue. And the Cloudflare MCP made it a breeze do debug (instead of headbanging against the dashboard). Still working on getting E2E latency down.

Retr0id•2m ago

> VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests. What are the odds.

I have such a love/hate relationship with VirtualBox. It's so useful but so buggy. My current installation has a bug that causes high network latency, but I'm afraid to upgrade in case it introduces new, worse bugs.

VMware is a million times better, but it is also Proprietary™

Polar weather on Jupiter and Saturn hints at the planets' interior details

Show HN: Unfault – A CLI and LSP for code orientation

How to Build the Life You Want: 3 Takeaways

Apple vs. the AI Hype Cycle

Amazon Ion

You shouldn't trust data collected on MTurk

Banana Pro – Nano Banana Pro 4K AI Image Generator

Show HN: I created Wiz, personal AI agent with Claude Code

The Zen of Reticulum

Trump Shares Map of US Including Greenland, Canada, Venezuela

Huge amounts of extra land needed for RFK Jr's meat-heavy diet guidelines

Show HN: Tycostream – turn Materialize views into real-time GraphQL APIs

Going to write 1.000.000 lines of code for community projects

Why Your European Business Is Probably Breaking GDPR Law

How Greenland keeps its eye on independence [pdf]

Special Address by President von Der Leyen at the World Economic Forum

Concurrent Validity of 16 Commercial Photoplethysmographic Heart Rate Monitors

Creatures in Higher Dimensions [video]

Snow Simulation Toy

Show HN: Coni – Trust-first Claude Cowork-style agent with permission prompts

Uca High School Nationals

A Frustrating Adventure Trying to Design a Logo with AI

Australian Decacorns

Blogs.hn

A Light from the Periphery

Technological dependence on American software and cloud services

The 12,000-Year Solar Cycle and other Space Weather – Stefan Burns [video]

Show HN: See how any HN user's AI opinions have evolved over time

Nearly all Epstein files still unreleased a month after Congress deadline

Reader Scores and Commenting