Running Claude Code dangerously (safely)

Posted by emilburzo 19 hours ago

Running Claude Code dangerously (safely)(blog.emilburzo.com)

306 points | 237 commentspage 7

marcelcor 15 hours ago|

I'm a fan of https://e2b.dev/

woof 16 hours ago||

sandbox-exec on MacOS (ie. https://github.com/neko-kai/claude-code-sandbox) seems like the perfect solution to me.

Missing FreeBSD jails in 2026 is kind of weird (hello 1999)...

mhb 17 hours ago||

Forgive a naive question, but why not run it on an AWS (or equivalent) instance?

Retr0id 17 hours ago||

> VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests. What are the odds.

I have such a love/hate relationship with VirtualBox. It's so useful but so buggy. My current installation has a bug that causes high network latency, but I'm afraid to upgrade in case it introduces new, worse bugs.

VMware is a million times better, but it is also Proprietary™

intrasight 17 hours ago|

As VMWare Workstation is now free on Linux and Windows, and allows you to create and rollback snapshots. Why not use it even if proprietary?

Retr0id 17 hours ago|||

It's a good question and I'm pretty on the fence about it, and next time I'm reinstalling things I might switch.

I do believe in the whole RMS "respects the user's freedoms" spiel, so all things being equal I prefer FOSS, even if it's worse - but there are limits.

HWR_14 13 hours ago|||

And OSX. Or the functionality is free, but the name of the client might be different

alphax314 9 hours ago||

Am I the only one who has setup notifications in the terminal so when claude is done and asks for a permission or whatever else it might need the terminal has a red dot and is bouncing? I go back to it respond in two seconds and then switch back to whatever I was doing. It doesnt feel that disruptive that I would want to run it with the —dangerous flag.

jackcarter 16 hours ago||

"At some point I realized that rather than do something else until it finishes, I would constantly check on it to see if it was asking for yet another permission, which felt like it was missing the point of having an agent do stuff"

Why don't Claude Code & other AI agents offer an option to make a sound or trigger a system notification whenever they prompt for approval? I've looked into setting this up, and it seems like I'd have to wire up a script that scrapes terminal output for an approval request. Codex has had a feature request open for a while: https://github.com/openai/codex/issues/3052

AndroidKitKat 16 hours ago|

When using Claude Code in Ghostty on macOS, I get notifications if it is waiting on my input (accept changes, questionnaire, run bash command). Dunno what combination (if any) of my setup is needed for this to happen, but I certainly didn't configure anything special. Maybe I'm giving CC too much free reign to do things.

cyberpunk 17 hours ago||

docker sandbox run claude? seems to work for me…

ompogUe 7 days ago||

Keeping in mind with Vagrant: if you are using a synced_folder in your host as a source folder in the VM, those files in the synced_folder will be modified on the host.

gregoriol 18 hours ago||

If the folder is versioned and commited regularly there is no problem. It also allows you to open the files in your IDE, do some other tasks or fixes for claude. It prevents claude from accessing any other folder, which is the idea of the post.

gcr 18 hours ago|||

I’ve seen Claude rm .git in rare occasions to “fix rebase hiccups”

Version control ain’t a match for a good backup

gregoriol 17 hours ago||

So? if it removes .git, just clone the project again and you are ok

fragmede 16 hours ago|||

Until Claude nukes .git, assuming you're using git as the version/commit store. Solution use easy, just push to a remote on a reasonable cadence (that you can run reflog on, so a force push won't eat your data either). Git isn't backup though, it's a VCS, and those are two different things, even if they are somewhat alike.

emilburzo 6 days ago|||

Good point. For me, that was intentional, since all my projects are in git I don't care if it messes something up. Then you get the benefit of being able to use your regular git tooling/flows/whatever, without having to add credentials to the VM.

But if you need something more strict, 'config.vm.synced_folder' also supports 'type rsync', which will copy the source folder at startup to the VM, but then it's on you to sync it back or whatever.

ompogUe 6 days ago||

I like this workflow a lot, actually. Docker is great and all, but depending on the project, Vagrant helps "keep it simple".

Thanks

ninadwrites 18 hours ago||

[dead]

firasd 18 hours ago||

I noticed something in Claude across all product surfaces

There's a bug in that it can't output smart quotes “like this”

Sonnet, Opus et al think they output it but something in the pipeline is rewriting it

https://github.com/firasd/vibesbench/blob/main/docs/2026/A/t...

Try it in Claude Code and you'll see what I mean! Very weird

szmarczak 17 hours ago|

What about Docker rootless?

More comments...