Running Claude Code dangerously (safely)

Posted by emilburzo 1/20/2026

Running Claude Code dangerously (safely)(blog.emilburzo.com)

351 points | 258 commentspage 6

yodon 1/20/2026|

Is anyone running Claude in a GitHub Codespace container?

There was this HN post[0] last week on a tool for automatically shutting down the codespace container when idle.

[0]https://github.com/wandb/catnip

rando77 1/20/2026||

I'm interested in capability based software, with tools to identify the lethal trifecta.

This seems like a very hard problem with coding specifically as you want unsafe content (web searches) to be able to impact sensitive things (code).

I'd love to find people to talk to about this stuff.

letmetweakit 1/20/2026||

I run Claude in a Proxmox VM, generally the experience has been great. In my experience it also behaves better than gemini cli, that likes to create files all over the place if set loose (lesson learned to add that requirement to the relevant .md files)

vidarh 1/20/2026||

Something that contains Claude even more in this respect is if you explicitly gives it a directory that you tell it is entirely under its control, and tells it to write md files and other intermediate work products there (and this seems to work better than telling it where it isn't allowed to leave things).

onionisafruit 1/20/2026|||

That sounds like a good idea. When I have a one-off need for misc files I tell it to put them in the project’s ./tmp because that’s already in my global gitignore. That generally works, but I still run into surprise files it leaves in source dirs like a puppy leaves turds on a rug. I’ll try adding that to my instructions instead of doing it one-off.

jermaustin1 1/20/2026|||

I've often found that LLMs don't listen to "Don't do" commands with anywhere near the same gusto as "Do" commands.

NitpickLawyer 1/20/2026||

People don't usually think about pink elephants, unless you ask them not to think about pink elephants :)

vidarh 1/22/2026||

Indeed, a whole lot of criticisms against LLMs are involve in part how they increasingly act too much like humans in ways people don't like from their computers...

chrisss395 1/20/2026|||

I too use this solution, using both Ubunutu LXCs and full-fledged VMs. Only issue I've struggled with has been losing SSH connection on the LXC, and tmux and session both seem to mess up the terminal formatting in CC.

I do agree with the security / cautionary comments and wouldn't leverage this setup outside a hacked together homelab.

emilburzo 1/20/2026|||

This was also the direction I was initially headed, but then I realized I wanted one-VM-per-project so it can really do anything it wants on the complete VM. So the blast-from-the-past-Vagrant won because of the Vagrantfile + `vagrant up` easiness.

letmetweakit 1/20/2026||

I use Proxmox snapshots to get back to a clean state. I’ll take a look at Vagrant too though.

scalemaxx 1/20/2026||

In installed Gemini as an extension in VS Code and it kept wanting to index all my files. Still trying to figure out what it was doing outside of the VS Code folder I had set it to work on.

zhoujianfu 1/20/2026||

I’ve always had it set up to dangerously skip permissions, I just start every new project in a vps, done. I’ve got it set up for the web too, give it a try at clodhost.com if you wanna help me beta test (you get a free VPS)!

frankc 1/20/2026||

I think this makes sense but I wonder if firecracker would work better than vagrant for this? I haven't used it before, though. I guess it might if you are trying to run gas town level orchestration.

raesene9 1/20/2026|

Firecracker can solve the kind of problems where you want more isolation than Docker provides, and it's pretty performant.

There's not a tonne of tooling for that use case now, although it's not too hard to put together I vibe-coded something that works for my use case fairly quickly (CC + Opus 4.5 seemed to understand what's needed)

tobyhinloopen 1/20/2026||

How about running Claude as a different user with very limited permissions?

gregoriol 1/20/2026||

This breaks the non-interactive mode the post want to achieve. Claude will not be able to install some things and will require user action, which is not desired here.

progval 1/20/2026||

Like what? It can already use npm/pip/etc. And if it needs a new APT package or config in /etc/ then you would want to know because you need to document it.

tstrimple 1/20/2026|||

Claude Code on NixOS feels like it has super powers. Being able to spin up a nix-shell with needed dependencies on demand gives it access to all sorts of tools I don't have or want installed on my base system. My "book-recommendation" claude code uses sqlite to manage my reading history and to-read and maybe-read lists but I never installed tools for sqlite and they aren't present on my NixOS desktop. It just launches a nix-shell with sqlite anytime it needs to read/modify the database. As long as the database file is within the directory claude code was launched from, it doesn't need to prompt for permission. With the caching that NixOS does, it's fast enough to not even think about.

gregoriol 1/20/2026|||

If you make claude work with c/c++, it may need apt for libraries or build tools.

Even with npm/pip, these may not be available on a base linux box.

Even then, some complex projects may need other tools that are not part of a base system (command line tools, redis, ...).

emilburzo 1/20/2026|||

I tried this approach for a while, but I really wanted it to be able to do anything (install system packages, build/run Docker containers, the works).

With these powers there's a lot less back-and-forth with me running commands, copying the output, pasting it to Claude, etc.

I'm sure you've had the case where you had to instruct someone to do something (e.g. playing tech support with family, helping another engineer, etc). While it helps the other person learn, it feels soooo slow vs just doing it yourself :) And since I don't have to teach the agent, I think this approach makes sense.

delaminator 1/20/2026||

I run it with sudo enabled - true story

just give it its own machine and let it check out any code

I PXE boot it from a known image when I feel the need

tobyhinloopen 1/20/2026|||

Running it remotely on a VM seems like a very sensible option. Just don't give it permission to nuke the remote repository hah (EG don't allow force-push, use protected branches, only allow write access to branches it created)

zh3 1/20/2026|||

Same solution here - keep a base diskless image on the server, copy it to the diskless area, pxeboot the machine. Works for Windows too (iscsi).

Could do the same thing on EC2 of course.

veqq 1/20/2026||

At current and prior $work, at Google or Amazon, we always have ways to work safely with this whether Java or Python, so this feels run of the mill.

csantini 1/20/2026||

Just create a new user and setup pip/npm to install locally.

And setup an .env for the project with user/password to access only a dev database.

mehdibl 1/21/2026||

Devcontainer is not docker and do the trick!

snowmobile 1/20/2026|

How can you trust the AI to write (working) code if you can't even trust it to run commands on your dev machine?

More comments...