Running Claude Code dangerously (safely)

Posted by emilburzo 1/20/2026

Running Claude Code dangerously (safely)(blog.emilburzo.com)

351 points | 258 commentspage 7

svilen_dobrev 1/20/2026|

can't it generate a program that (generates a program that)+ does whatever? in different languages, and in increasing level of dereferencing..

industrially-making-exploits.. : https://news.ycombinator.com/item?id=46676081

CGMthrowaway 1/20/2026||

What is the equivalent of this, for Claude Cowork? Can anyone point me to a guide on how to safely use that?

marcelcor 1/20/2026||

I'm a fan of https://e2b.dev/

woof 1/20/2026||

sandbox-exec on MacOS (ie. https://github.com/neko-kai/claude-code-sandbox) seems like the perfect solution to me.

Missing FreeBSD jails in 2026 is kind of weird (hello 1999)...

messh 1/20/2026||

the shellbox VMs work great as sandbox for Claude-Code. It uses ssh to create and connect to the boxes -- very simple and quick to setup

check it out: https://shellbox.dev

mhb 1/20/2026||

Forgive a naive question, but why not run it on an AWS (or equivalent) instance?

guluarte 1/20/2026||

docker has sandboxes for this https://docs.docker.com/ai/sandboxes/

docker sandbox run claude

oofbey 1/20/2026||

There are two spheres of influence you need to consider. The local machine/vm/container that the agent is running in. But also the effect the agent can have on the outside world - using auth tokens or ssh keys or apis that is has access to. This article largely deals with the first problem and ignores the second.

You can have the local environment completely isolated with vagrant. But if you’re not careful with auth tokens it can (and eventually will when it gets confused）go wipe the shared dev database or the GitHub repo. The author kinda acknowledges this, but it’s glossing over a big chunk of the problem. If it can pus to GitHub, unless you’ve set up your tokens carefully it can delete things too. Having a local isolated test database separate from the shared infrastructure is a matter of a mature dev environment, which is a completely separate thing from how you run Claude. Two of the three examples cited as “no, no, no” are not protected by vagrant or docker or even EC2. It’s what tokens the agent has and needs.

emilburzo 1/20/2026|

Hmm, perhaps I'm missing something, so let's go through it step by step and see where the disconnect is:

- There's a cloned 'my-project' git repo on the base OS

- The 'Vagrantfile' is added to the project

- 'vagrant up', 'vagrant ssh' and claude login is run inside the VM

At this stage, besides the source code and the Claude Code token (after logging in), there are no other credentials on the VM: no SSH keys, no DB credentials, no API tokens, nothing.

There is also no need to add:

- SSH keys or GitHub tokens: because git push/pull is handled outside the VM

- DB credentials: because Claude can just install a DB inside the VM and run the project migrations against that isolated instance, not any shared/production database

API tokens can definitely be a problem if you need external service integration. But that's an explicit opt-in decision, you'd have to deliberately add those credentials to the Vagrantfile or sync them in. At that point, yes, you need proper token scoping and permissions.

oofbey 1/22/2026||

Integration tests are where it breaks down. Assuming Claude can just install whatever infrastructure it needs inside the VM only works for relatively simple projects. Claude probably isn’t going to install a Kafka queue in your VM. Or a k8 cluster. Maybe it could. But unless you’re in a monorepo it wouldn’t know how to configure it properly.

rwestergren 1/21/2026||

I think VMs with snapshots would negate the need for Vagrant.

Retr0id 1/20/2026|

> VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests. What are the odds.

I have such a love/hate relationship with VirtualBox. It's so useful but so buggy. My current installation has a bug that causes high network latency, but I'm afraid to upgrade in case it introduces new, worse bugs.

VMware is a million times better, but it is also Proprietary™

intrasight 1/20/2026|

As VMWare Workstation is now free on Linux and Windows, and allows you to create and rollback snapshots. Why not use it even if proprietary?

Retr0id 1/20/2026|||

It's a good question and I'm pretty on the fence about it, and next time I'm reinstalling things I might switch.

I do believe in the whole RMS "respects the user's freedoms" spiel, so all things being equal I prefer FOSS, even if it's worse - but there are limits.

HWR_14 1/20/2026|||

And OSX. Or the functionality is free, but the name of the client might be different

More comments...