If you let an agent execute shell commands on your host, you've delegated your full user privileges to a system that takes instructions from text it reads on the internet. Put the agent in a box.

Canonical references

What Karpathy actually says

Andrej Karpathy (who coined "vibe coding") frames it as an autonomy slider — dial between tight human control and longer AI leashes. He's been candid about the failure mode: agents that run too long produce slop, and he has personally accepted changes without reading the diffs. His AutoResearch project codifies the discipline:

  • Strict time budget per experiment — runs can't expand indefinitely.
  • Single success metric — only changes that improve the metric are kept.
  • Automatic rollback — failed or worse-performing changes are reverted automatically.

These constraints effectively create a sandbox where LLMs operate in short bursts with clear success metrics and automatic rollback. The lesson for vibe coding: give the agent a contained environment, narrow goal, and a way to undo.

Why this matters

--dangerously-skip-permissions is the most attractive footgun in modern dev tooling. So convenient, so destructive, that Anthropic's own docs call it out by name.

Real incidents from the last year (each documented in advisories/):

  • Dec 2025: Claude generated rm -rf tests/ patches/ plan/ ~/ and ~/ expanded to the home directory. User lost desktop files, keychain, and application data.
  • Jul 2025: Amazon Q wiper prompt would have wiped local files and AWS resources if better-formed.
  • Jul 2025: Supabase lethal trifecta exfiltrates DB rows via prompt injection in user-submitted content.
  • Apr 2026: Comment and Control — CVSS 9.4 — hits Claude Code Security Review, Gemini CLI, Copilot Agent on GitHub Actions runners.

The pattern: agent reads untrusted text → agent generates a tool call → tool call runs with your privileges.

The hierarchy of sandboxing

From least to most isolated. Pick the highest level you can tolerate.

Level 0 — confirm every command (default)

Don't pass --dangerously-skip-permissions (or equivalent). Review each shell command and file edit before approving.

Cost: mild friction. Catches: most accidents and obvious injections.

Level 1 — Claude Code's built-in sandbox

As of late 2025, Claude Code ships with official sandboxing — filesystem isolation (read-write only in the working directory) + network isolation (via a unix-domain-socket proxy). Enable it; it reduces permission-prompt fatigue by ~84% per Anthropic's measurements without giving up safety.

For Auto Mode (March 2026), Anthropic's official guidance is only use it in a sandboxed environment. Don't run Auto Mode on the host.

Run the agent inside a devcontainer or VS Code Remote Container. Agent can rm -rf to its heart's content; your host filesystem is untouched.

// .devcontainer/devcontainer.json
{
  "name": "agent-sandbox",
  "image": "mcr.microsoft.com/devcontainers/typescript-node:20",
  "mounts": [
    "source=${localWorkspaceFolder},target=/workspace,type=bind"
  ],
  "remoteEnv": {
    // Inject only what the agent needs; not your full host env
    "ANTHROPIC_API_KEY": "${localEnv:ANTHROPIC_API_KEY}"
  },
  "postCreateCommand": "npm install --ignore-scripts"
}

Anthropic publishes a reference devcontainer for Claude Code — fork that as a starting point.

Cost: initial setup ~5 minutes per project. Catches: filesystem destruction, credential theft from ~/, most npm install fallout.

Level 3 — Docker container with no network

For exploratory / "let me try this random repo" work:

docker run --rm -it \
  -v "$PWD:/work" -w /work \
  --network=none \
  node:20 bash

No outbound network = no credential exfiltration. Cost: can't npm install. Catches: everything network-dependent.

Level 4 — VM (Lima / OrbStack / UTM)

Fresh user account, no host filesystem mount unless needed. The most isolated practical option.

Cost: heavier resource use. Catches: kernel-level escapes, the rare container breakout.

Level 5 — separate physical machine

A junk laptop or Raspberry Pi for unsupervised overnight runs. Cost: real money. Catches: literally everything.

Specific tool guidance

Claude Code

  • Default: claude — confirm-each-step. Keep it this way unless you're in a sandbox.
  • Inside a devcontainer (or with Anthropic's built-in sandbox): Auto Mode or --dangerously-skip-permissions is reasonable. See Auto Mode docs.
  • On your host: never --dangerously-skip-permissions. The brief productivity boost isn't worth a December-2025-Reddit-thread of losing your home directory.
  • Restrict tools: use --allowedTools to whitelist only what's needed. Block Bash when you can.
  • Restrict MCPs: keep only MCPs you've vetted. → mcp-hygiene.md

Cursor

  • Keep updated (≥1.7 to avoid CurXecute / MCPoison / case-sensitivity bugs — see advisory).
  • Review every MCP entry; pin exact versions in mcp.json.
  • For agent mode running shell commands, prefer in-app per-command confirmation.

Windsurf

  • Update past 1.9544.26 — CVE-2026-30615 is a zero-click MCP RCE.
  • Same MCP hygiene as Cursor / Claude Code.

v0 / Lovable / Bolt / Replit

The "isolated identity" trick

Inside the sandbox, set up a fresh GitHub / npm / cloud identity with only the permissions the agent needs. If the agent goes rogue, only the sandbox identity gets revoked — your real account is untouched.

Example: a gh-bot GitHub account that's added as a collaborator with write only on the specific repos the agent works on. When the agent goes off, revoke the bot and rotate.

What this does and doesn't solve

Solves:

  • Accidental destructive shell commands.
  • Filesystem credential theft from ~/.
  • Outbound exfiltration (Level 3+).

Doesn't solve:

  • Bad code being committed and merged (you still need review — see the auditing playbook).
  • The agent leaking via something it has legitimate access to (a connected MCP — see mcp-hygiene.md).
  • Prompt-injected actions within the agent's allowed scope (e.g., agent has DB write, gets injected to write attacker data — the lethal trifecta).

Defense in depth: sandbox + review + least-privilege MCPs + least-privilege credentials.

Further reading