Summarizer

Safety and Sandboxing

Practical concerns about giving AI agents shell access or file system permissions. Users discuss the risks of agents accidentally 'nuking' systems, installing unwanted dependencies, or running dangerous commands, and recommend solutions like running agents in containers, VMs, or using specific sandboxing tools like Leash to limit blast radius.

← Back to My AI Adoption Journey

While some users cautiously rely on manual command approvals to prevent AI agents from accidentally "nuking" their systems or misconfiguring local environments, many argue that true safety requires robust sandboxing via tools like Leash, containers, or dedicated VMs. These isolated setups mitigate the risks of the "lethal trifecta"—simultaneous file access, program execution, and network requests—while allowing developers to embrace a high-productivity "YOLO mode." By containing the potential blast radius in this way, users can fearlessly run multiple agents in parallel, transforming a risky experiment into an efficient, multi-tasking workflow.

15 comments tagged with this topic

View on HN · Topics
You can run OpenCode in a container restricted to local network only and communicating with local/self-hosted models. Claude Code is linked to Anthropic's hosted models so you can't achieve this.
View on HN · Topics
> At a bare minimum, the agent must have the ability to: read files, execute programs, and make HTTP requests. That's one very short step removed from Simon Willison's lethal trifecta.
View on HN · Topics
This is why I won't run Claude without additional sandboxing. I'm currently using (and quite pleased with) https://github.com/strongdm/leash
View on HN · Topics
I will say one thing Claude does is it doesn't run a command until you approve it, and you can choose between a one-time approval and always allowing a command's pattern. I usually approve the simple commands like `zig build test`, since I'm not particularly worried about the test harness. I believe it also scopes file reading by default to the current directory.
View on HN · Topics
A lot of people run the claude with --dangerously-skip-permissions
View on HN · Topics
I'm definitely not running that on my machine.
View on HN · Topics
The way this is generally implemented is that agents have the ability to request a tool use. Then you confirm "yes, you may run this grep".
View on HN · Topics
Same, but I felt okay sticking my code base in a VM and then letting an agent run there. I’d say it worked well
View on HN · Topics
So does everyone just run with giving full permissions on Claude code these days? It seems like I’m constantly coming back to CC to validate that it’s not running some bash that’s going to nuke my system. I would love to be able to fully step away but it feels like I can’t.
View on HN · Topics
I sandbox everything inside https://github.com/strongdm/leash That way the blast radius is vastly reduced.
View on HN · Topics
I run my agents with full permissions in containers. Feels like a reasonable tradeoff. Bonus is I can set up each container with exactly the stack needed.
View on HN · Topics
Honest question, when was the last time you caught it trying to use a command that was going to "nuke your system"?
View on HN · Topics
“Nuke” is maybe too strong of a word, but it has not been uncommon for me to see it trying to install specific versions of languages on my machine, or services I intentionally don’t have configured, or sometimes trying to force npm when I’m using bun, etc.
View on HN · Topics
Maybe once a month
View on HN · Topics
> I'm not [yet?] running multiple agents, and currently don't really want to This is the main reason to use AI agents, though: multitasking. If I'm working on some Terraform changes and I fire off an agent loop, I know it's going to take a while for it to produce something working. In the meantime I'm waiting for it to come back and pretend it's finished (really I'll have to fix it), so I start another agent on something else. I flip back and forth between the finished runs as they notify me. At the end of the day I have 5 things finished rather than two. The "agent" doesn't have to be anything special either. Anything you can run in a VM or container (vscode w/copilot chat, any cli tool, etc) so you can enable YOLO mode.