llm/8632d754-c7a3-4ec2-977a-2733719992fa/topic-5-c3a01cd2-b5bb-472a-9681-201cee3ecc6a-input.json
The following is content for you to summarize. Do not respond to the comments—summarize them. <topic> Safety and Sandboxing # Practical concerns about giving AI agents shell access or file system permissions. Users discuss the risks of agents accidentally 'nuking' systems, installing unwanted dependencies, or running dangerous commands, and recommend solutions like running agents in containers, VMs, or using specific sandboxing tools like Leash to limit blast radius. </topic> <comments_about_topic> 1. You can run OpenCode in a container restricted to local network only and communicating with local/self-hosted models. Claude Code is linked to Anthropic's hosted models so you can't achieve this. 2. > At a bare minimum, the agent must have the ability to: read files, execute programs, and make HTTP requests. That's one very short step removed from Simon Willison's lethal trifecta. 3. This is why I won't run Claude without additional sandboxing. I'm currently using (and quite pleased with) https://github.com/strongdm/leash 4. I will say one thing Claude does is it doesn't run a command until you approve it, and you can choose between a one-time approval and always allowing a command's pattern. I usually approve the simple commands like `zig build test`, since I'm not particularly worried about the test harness. I believe it also scopes file reading by default to the current directory. 5. A lot of people run the claude with --dangerously-skip-permissions 6. I'm definitely not running that on my machine. 7. The way this is generally implemented is that agents have the ability to request a tool use. Then you confirm "yes, you may run this grep". 8. Same, but I felt okay sticking my code base in a VM and then letting an agent run there. I’d say it worked well 9. So does everyone just run with giving full permissions on Claude code these days? It seems like I’m constantly coming back to CC to validate that it’s not running some bash that’s going to nuke my system. I would love to be able to fully step away but it feels like I can’t. 10. I sandbox everything inside https://github.com/strongdm/leash That way the blast radius is vastly reduced. 11. I run my agents with full permissions in containers. Feels like a reasonable tradeoff. Bonus is I can set up each container with exactly the stack needed. 12. Honest question, when was the last time you caught it trying to use a command that was going to "nuke your system"? 13. “Nuke” is maybe too strong of a word, but it has not been uncommon for me to see it trying to install specific versions of languages on my machine, or services I intentionally don’t have configured, or sometimes trying to force npm when I’m using bun, etc. 14. Maybe once a month 15. > I'm not [yet?] running multiple agents, and currently don't really want to This is the main reason to use AI agents, though: multitasking. If I'm working on some Terraform changes and I fire off an agent loop, I know it's going to take a while for it to produce something working. In the meantime I'm waiting for it to come back and pretend it's finished (really I'll have to fix it), so I start another agent on something else. I flip back and forth between the finished runs as they notify me. At the end of the day I have 5 things finished rather than two. The "agent" doesn't have to be anything special either. Anything you can run in a VM or container (vscode w/copilot chat, any cli tool, etc) so you can enable YOLO mode. </comments_about_topic> Write a concise, engaging paragraph (3-5 sentences) summarizing the key points and perspectives in these comments about the topic. Focus on the most interesting viewpoints. Do not use bullet points—write flowing prose.
Safety and Sandboxing # Practical concerns about giving AI agents shell access or file system permissions. Users discuss the risks of agents accidentally 'nuking' systems, installing unwanted dependencies, or running dangerous commands, and recommend solutions like running agents in containers, VMs, or using specific sandboxing tools like Leash to limit blast radius.
15