← all news

How Anthropic contains Claude across its products

Engineering · · · source (simonwillison.net)

Anthropic published a long write-up on how it sandboxes the three places Claude runs code, and Simon Willison flags it as one of the most thorough product-side security disclosures he has seen from a frontier lab. Claude.ai uses gVisor. Local Claude Code uses Seatbelt on macOS and Bubblewrap on Linux. Claude Cowork runs in a full virtual machine, using Apple's Virtualization framework on macOS and the Hyper-V Compute Service on Windows. The stated goal is a hard boundary on what an agent can reach, with a second rule that credentials never enter the sandbox in the first place.

The post is also unusually honest about what the team got wrong. It walks through previously missed risks, including an exfiltration vector through api.anthropic.com/v1/files, and it spells out the limits of the network design. Because the proxy enforces an allowlist on the requested hostname without terminating TLS, broad rules like allowing all of github.com can be turned into data exfiltration paths through domain fronting. Anthropic ships its sandbox primitives as the open-source @anthropic-ai/sandbox-runtime package, so the same boundaries can wrap other agents.

If you run agents in production, the patterns are directly usable. Treat filesystem and network isolation as a pair, keep credentials out of the sandbox rather than relying on the network rules, and prefer narrow allowlists over wildcarded domains.

Why it matters

If you build with Claude Code or any other agent that runs commands on a developer's machine, this is the closest thing yet to a published reference for what "safe by default" looks like. The candid disclosure of past mistakes also sets a useful bar for what to ask other vendors before you trust their agents with your filesystem.

AnthropicSecurityAgents