π Are you giving Claude Code full access to your machine? This is worth reading.
Patrick McCanna published a practical guide on how to sandbox AI agents using Bubblewrap β the same tool Anthropic uses internally, but under your own control.
𧱠Why is this a problem?
When you run Claude Code with --dangerously-skip-permissions, the agent has access to:
- Your
.envfiles with credentials - SSH keys in
~/.ssh/ - Browser profiles, photos, documents
If there’s a bug or exploit, the agent can exfiltrate that data.
β‘ The solution: Bubblewrap
bwrap \
--ro-bind /usr /usr \
--bind "$PROJECT_DIR" "$PROJECT_DIR" \
--bind "$HOME/.claude" "$HOME/.claude" \
--ro-bind /dev/null "$PROJECT_DIR/.env" \
--ro-bind /dev/null "$PROJECT_DIR/.env.local" \
--share-net --unshare-pid --die-with-parent \
"$(command -v claude)" --dangerously-skip-permissions "..."The key trick: --ro-bind /dev/null "$PROJECT_DIR/.env" β mounts the .env file as empty, blocking access without breaking execution.
π Bubblewrap vs Docker vs dedicated account:
| Aspect | Bubblewrap | Docker | Dedicated account |
|---|---|---|---|
| Simplicity | β One command | β Daemon + YAML | β οΈ Complex ACLs |
| Network control | β Granular | β Granular | β No control |
| No daemon required | β | β | β |
| Works for any agent | β | β | β οΈ |
π Explanation in a nutshell
A “sandbox” is like a playpen where a program can run but can’t touch the rest of the system. Bubblewrap is a Linux tool that creates that playpen: it tells the AI agent “you can work in this folder, but you can’t see passwords, SSH keys, or anything outside what I allow.” It’s like giving someone access to your desk but keeping all the drawers locked.
More information at the link π
