Claude Code Gets Sandboxing: 84% Fewer Permission Prompts

TL;DR

• Anthropic added OS-level sandboxing to Claude Code with filesystem and network isolation
• Internal testing shows 84% reduction in permission prompts while increasing security
• New sandboxed bash tool and cloud-based Claude Code on the web both available now
• Sandbox runtime is open source — other agent builders can use it

The Big Picture

Claude Code has a permission problem. Every time it wants to run a command or modify a file, it asks for approval. This is secure, but it's also slow and annoying. Developers end up in "approval fatigue" mode, clicking yes without reading what they're approving. That's worse than no security at all.

Anthropic's solution is sandboxing — not the Docker kind, but OS-level isolation using Linux bubblewrap and MacOS seatbelt. The approach creates defined boundaries where Claude can work freely, then blocks everything outside those boundaries. The result: 84% fewer permission prompts in internal testing, with better security than the old model.

This matters because long-running agents need to operate autonomously without constant human intervention. But autonomy without isolation is dangerous. A prompt injection attack could steal SSH keys, modify system files, or exfiltrate data to an attacker's server. Sandboxing solves this by making Claude more autonomous and more secure at the same time.

How It Works

Anthropic's sandboxing enforces two types of isolation: filesystem and network. Both are required. Without filesystem isolation, a compromised agent can modify sensitive files. Without network isolation, it can phone home with your credentials.

The filesystem sandbox allows read and write access to the current working directory, but blocks everything else. If Claude tries to access /etc/passwd or ~/.ssh/id_rsa, the OS blocks it at the kernel level. This isn't a Python wrapper that can be bypassed — it's enforced by the operating system itself.

Network isolation is more complex. The sandbox blocks all direct network access. Instead, outbound connections route through a Unix domain socket to a proxy server running outside the sandbox. This proxy enforces domain restrictions and prompts for user confirmation when Claude requests access to a new domain. You can customize the proxy to enforce arbitrary rules on outgoing traffic.

The sandboxed bash tool uses this runtime to execute commands. Inside the sandbox, Claude runs autonomously. If it tries to access something outside the defined boundaries, you get notified immediately and can approve or deny the request.

Anthropic built this on top of existing OS primitives rather than containers. Linux bubblewrap and MacOS seatbelt provide the enforcement layer. These tools cover not just Claude Code's direct interactions, but also any scripts, programs, or subprocesses spawned by the command. A malicious script can't escape the sandbox by spawning a child process.

The architecture is configurable. You can allow or disallow specific file paths and domains. If you're working on a web scraper, you might allow access to specific APIs. If you're working on local tooling, you might block all network access entirely.

Claude Code on the web takes a different approach. It runs each session in an isolated cloud sandbox where Claude has full access to its server. Sensitive credentials like git tokens and signing keys never enter the sandbox. Instead, a custom proxy service handles all git interactions.

When Claude runs a git command inside the sandbox, it authenticates to the proxy with a scoped credential. The proxy verifies the credential and the contents of the git interaction — ensuring it's only pushing to the configured branch — then attaches the real authentication token before sending the request to GitHub. This way, even if the code running in the sandbox is compromised, the attacker never gets access to your GitHub token.

What This Changes For Developers

The immediate impact is fewer interruptions. Instead of approving every npm install or git commit, you define boundaries once and let Claude work. This is especially useful for tool use workflows where Claude needs to run multiple commands in sequence.

The security improvement is less visible but more important. Prompt injection is a real threat for AI coding tools. A malicious README file or code comment can trick Claude into running arbitrary commands. Without sandboxing, that's game over. With sandboxing, the attack is contained. The compromised agent can't access your SSH keys, can't modify system files, and can't exfiltrate data to an external server.

For teams building their own agents, the open source sandbox runtime is the bigger story. Anthropic released the code on GitHub as a research preview. Other agent frameworks can integrate this technology to improve their security posture. The runtime is designed to sandbox arbitrary processes, agents, and MCP servers — not just Claude Code.

Claude Code on the web enables a different workflow. You can start a coding session from any browser without installing anything locally. The cloud sandbox handles execution, and the git proxy ensures your credentials stay secure. This is useful for quick prototyping, code reviews, or working from a locked-down machine.

Try It Yourself

To enable sandboxing in Claude Code, run the /sandbox command in the chat interface. This activates the sandboxed bash tool with default settings. You can customize filesystem and network permissions in the configuration.

To try Claude Code on the web, visit claude.com/code. Each session runs in an isolated cloud sandbox with the git proxy enabled by default.

If you're building your own agents, check out the sandbox runtime on GitHub. The repository includes documentation on integrating the runtime into your own tools.

The Bottom Line

Use sandboxing if you're running Claude Code on real projects with sensitive data. The 84% reduction in permission prompts makes development faster, and the OS-level isolation makes it safer than the old permission model. Skip it if you're just experimenting with toy projects where security doesn't matter.

Use Claude Code on the web if you need to code from a browser or don't want to install local tooling. Skip it if you need access to local services or custom development environments that can't run in a cloud sandbox.

The real opportunity here is for other agent builders. Anthropic open sourced the sandbox runtime because they want the entire ecosystem to adopt better security practices. If you're building agents that execute code or run commands, you should integrate this technology. The alternative is shipping tools that are vulnerable to prompt injection by design.

Source: Anthropic