So let me get this straight. You’re writing tens of thousands of lines of code that will presumably go into a public GitHub repository and/or be served from some location. Even if it only runs locally on your own machine, at some point you’ll presumably give that code network access. And that code is being developed (without much review) by an agent that, in our threat model, has been fully subverted by prompt injection?
Sandboxing the agent hardly seems like a sufficient defense here.
That's kind of tangential though. The article is more about using sandboxes to allow `--dangerously-skip-permissions` mode. If you're not looking at the generated code, you're correct, sandboxing doesn't help, but neither does permissioning, so it's not directly relevant to the main point.
My point is that if the threat model is “agent got sensitive information and wants to exfiltrate it”, looking at the code isn’t going to save you. You’re already dead. This was the threat outlined in TFA.
Yeah. Personally I haven't found a workflow that relies heavily on detailed design specs, red/green TDD followed by code review. And that's fine because that's how I did my work before AI anyway, both at the individual level and at the team level. So really, this is no different than reviewing someone else's PR, aside from the (greatly increased) turnaround time and volume.
Oh hang on, I think I've spotted a point of confusion here.
All three of the projects I described in this talk have effectively zero risk in terms of containing harmful unreviewed code.
DeepSeek-OCR on the Spark? I ran that one in a Docker container, saved some notes on the process and then literally threw away the container once it had finished.
The Pyodide in Node.js one I did actually review, because its code I execute on a machine that isn't disposable. The initial research ran in a disposable remote container though (Claude Code for web).
The Perl in WebAssembly one? That runs in a browser sandbox. There's effectively nothing bad that can happen there, that's why I like WebAssembly so much.
I am a whole lot more cautious in reviewing code that has real stakes attached to it.
Understood. I read the article as “here is how to do YOLO coding safely”, and part of the “safely” idea was to sandbox the coding agent. I’m just pointing out that this, by itself, seems insufficient to prevent ugly exfiltration, it just makes exfiltration take an extra step. I’m also not sure that human code review scales to this much code, nor that it can contain that kind of exfiltration if the instructions specify some kind of obfuscation.
Obviously your recommendation to sandbox network access is one of several you make (the most effective one being “don’t let the agent ever touch sensitive data”), so I’m not saying the combined set of protections won’t work well. I’m also not saying that your projects specifically have any risk, just that they illustrate how much code you can end up with very quickly — making human review a fool’s errand.
ETA: if you do think human review can prevent secret exfiltration, I’d love to turn that into some kind of competition. Think of it as the obfuscated C contest with a scarier twist.
It's an interesting risk tradeoff to think about. Is 14k lines of LLM generated code more likely to have an attack in it than 14k lines of transitive library dependencies I get when I add a package to my project?
In the library case, there is a network of people that could (and sometimes do) deliberately inject attacks into the supply chain. On the other hand, those libraries are used and looked at by other people - odds of detection are higher.
With LLM generated code, the initial developer is the only one looking at it. Getting an attack through in the first place seems harder, but detection probability is lower.
Yes. If by "subtly obfuscated" you mean anything from 'tucked into a comment without encoding, where you're unlikely to notice it', to 'encoded in invisible Unicode' to 'encoded in a lovely fist of Morse using an invisible pattern of spaces and tabs'.
I don't know what models are capable of doing these days, but I find all of these things to be plausible. I just asked ChatGPT to do this and it claimed it had; it even wrote me a beautiful little Python decoder that then only succeeded in decoding one word. That isn't necessarily confirmation, but I'm going to take that as a moral victory.
I don't understand this concern. The models themselves are completely inscrutable, of course. But the premise of safely using them in real codebases is that you know what safe code in that language looks like; it's no different than merging a PR from an anonymous contributor on an open source project (except that the anonymous contributor very definitely could be trying to sabotage you and the LLM is almost certainly not).
Either way: if you're not sure what the code does, you don't merge it.
The premise of TFA as understood it was that we have lethal trifecta risk: sensitive data getting exfiltrated via coding agent. The two solutions were sandboxing to limit access to sensitive data (or just running the agent on somebody else’s machine) and sandboxing to block outbound network connections. My only point here is that once you’ve accepted the risk that the model has been rendered malicious by prompt injection, locking down the network is totally insufficient. As long as you plan to release the code publicly (or perhaps just run it on a machine that has network access), it has an almost disturbingly exciting number of ways it can do data exfiltration via the code. And human code review is unlikely to find many of them, because the number of possibilities for obfuscation is so huge you’ve lost even if you have an amazing code reviewer (and let’s be honest, at 7000 SloC/day nobody is a great code reviewer.)
I think this is exciting and if I was teaching an intro security and privacy course I’d be urging my students to come up with the most exciting ideas for exfiltrating data, and having others trying to detect it through manual and AI review. I’m pretty sure the attackers would all win, but it’d be exciting either way.
Huh. I don't know if I'm being too jumpy about this or not.
The notion that Claude in yolo-mode, given access to secrets in its execution environment, might exfil them is a real concern. Unsupervised agents will do wild things in the process of trying to problem-solve. If that's the concern: I get it.
The notion that the code Claude produces through this process might exfil its users secrets when they use the code is not well-founded. At the end of whatever wild-ass process Claude undertakes, you're going to get an artifact (probably a PR). It's your job to review the PR.
The claim I understood you to be making is that reviewing such a PR is an intractable problem. But no it isn't. It's a problem developers solve all the time.
The threat model described in TFA is that someone convinces your agent via prompt injection to exfiltrate secrets. The simple way to do this is to make an outbound network connection (posting with curl or something) but it’s absolutely possible to tell a model to exfiltrate in other ways. Including embedding the secret in a Unicode string that the code itself delivers to outside users when run. If we weren’t living in science fiction land I’d say “no way this works” but we (increasingly) do so of course it does.
Silently setup a child pornographer exchange server and run it on your machine for years without you ever noticing until you are caught and imprisoned.
I guess it's great if you don't give a shit about code quality, particularly in a larger project.
What I see are three tiny little projects that do one thing.
That is boring. We already know the LLMs are good at that.
Let's see it YOLO into a larger codebase with protocols and a growing feature set without making a complete mess of things.
So far CC has been great for letting me punch above my weight but the few times I let it run unattended it has gone against conventions clearly established in AGENTS.md and I wasn't there to keep it on the straight and narrow. So a bunch more time had to be spent untangling the mess it created.
Yeah I don't know if this is a skill issue on my part, the nature of my projects, the limits of Sonnet vs. Opus, or a combination of all of the above, but my experiences track with all of yours.
From the article:
> The default mode requires you to pay constant attention to it, tracking everything it does and actively approving changes and actions every few steps.
I've never seen a YOLO run that doesn't require me to pay constant attention to it. Within a few minutes, Claude will have written bizarre abstractions, dangerous delegations of responsibility, and overall the smelliest code you'll see outside of a coding bootcamp. And god help you if you have both client and server code within the same repo. In general Claude seems to think that it's fine to wreak havoc in existing code, for the purpose of solving whatever problem is immediately at hand.
Claude has been very helpful to me, but only with constant guidance. Believe me, I would very much like to YOLO my problems away without any form of supervision. But so far, the only useful info I've received is to 1) only use it for side projects/one-off tools, and 2) make sure to run it in a sandbox. It would be far more useful to get an explanation for how to craft a CLAUDE.md (or, more generally, get the right prompt) that results in successful YOLO runs.
Anyone from the Cursor world already YOLO's it by default.
A massive productivity boost I get is using to do server maintenance.
Using gcloud compute ssh, log into all gh runners and run docker system prune, in parellel for speed and give me a summary report of the disk usage after.
This is an undocumented and underused feature of basic agentic abilities. It doesn't have to JUST write code.
Yesterday I was trying to move a backend system to a new AWS account and it wasn’t working. I asked Claude Code to figure it out. About 15 minutes and 40 aws CLI commands later, it did! Turned out the API Gateway’s VPCLink needed a security group added, because the old account’s VPC had a default egress rule and the new one’s didn’t.
I barely understand what I just said, and I’m sure it would have taken me a whole day to track this down myself.
Obviously I did NOT turn on auto-approve for the aws command during this process! But now I’m making a restricted role for CC to use in this situation, because I feel like I’ll certainly be doing something like this again. It’s like the AWS Q button, except it actually works.
This kind of trial and error debugging is the main reason I pay for Calude Code. Software development and writing code is meh. I mean, it’s okay. But I have a strong opinion on most coding tasks. But debugging something I touch once in a blue moon, trying out 10 commands before I find the failure point - that’s just something else.
Yeah totally setting it lose on your home lab is quite an eye opener. It’ll tip up recovery scripts diagnose hung systems figure out root causes of driver bugs; Linux has never been so user friendly!
Bonus points I finally have permissions sorted out on my samba share haha …
I've used Linux as my daily driver for well over a decade now, but there were quite a few times where I almost gave up.
I knew I could always fix any problem if I was willing to devote the time, but that isn't a trivial investment!
Now with these AI tools, they can diagnose, explain, and fix issues in minutes. My system is more customized than ever before, and I'm not afraid to try out new tools.
True for more than just Linux too. It's a godsend for homelab stuff.
There are a million different tools that are designed to do this, e.g. this task (log into a bunch of machines and execute a specific command without any additional tools running on each node) is literally the design use case for Ansible. It would be a simple playbook, why are you bringing AI into this at all?
Agreed, this is truly bizarre to me. Is OP not going to have to do this work all over again in x days time once the nodes fill with stale docker assets again?
AI can still be helpful here if new to scheduling a simple shell command, but I'd be asking the AI how do I automate the task away, not manually asking the AI to do the thing every time, or using my runners in a fashion that means I don't have to even concern myself with scheduled prune command calls.
Yeah that sounds like a CI/CD task or scheduled job. I would not want the AI to "rewrite" the scripts before running them. I can't really think of why I would want it to?
I'm glad this worked for you, but if it were me at most I would have asked Claude Code to write me an Ansible playbook for doing this, then run it myself. That gives me more flexibility to run this in the future, to change the commands, to try it, see that it fails, and do it again, etc.
And I honestly am a little concerned about a private key for a major cloud account where Claude can use it, just because I'm more than a little paranoid about certs.
There's no sandbox of any kind, at least on Linux, and the permission system is self-defeating. The agent will ask to run something like `bash -c "npm test"` and ask you to whitelist "bash" for future use. I don't use it daily because I don't find it useful to begin with, but when I take it for a spin it's always inside a full VM.
We've been exploring libseccomp/BPF filters on top of bubblewrap namespaces for LLM sandboxing - the BPF layer lets you go beyond read-only mounts to syscall restrictions. Open to collaboration on pushing this further: https://github.com/corv89/shannot
I like the best of both worlds approach of asking Claude to refine a spec with me (specifically instructing it to ask me questions) and then summarize an implementation or design plan (this might be a two step process if the feature is big enough)
When I’m satisfied with the spec, I turn on “allow all edits” mode and just come back later to review the diff at the end.
I find this works a lot better than hoping I can one shot my original prompt or having to babysit the implementation the whole way.
I recommend trying a more capable model that will read much more context too when creating specs. You can load a lot of full files into GPT 5 Pro and have it produce a great spec and give more surgical direction to CC or Codex (which don’t read full files and often skip over important info in their haste). If you have it provide the relevant context for the agent, the agent doesn’t waste tokens gathering it itself and will proceed to its work.
Is there an easy way to get a whole codebase into GPT 5 Pro? It's nice with claude to be able to say "examine the current project in the working directory" although maybe that's actually doing less than I think it is.
I don't understand why people advocate so strongly for `--dangerously-skip-permissions`.
Setting up "permissions.allow" in `.claude/settings.local.json` takes minimal time. Claude even lets you configure this while approving code, and you can use wildcards like "Bash(timeout:*)". This is far safer than risking disasters like dropping a staging database or deleting all unstaged code, which Claude would do last week, if I were running it in the YOLO mode.
The worst part is seeing READMEs in popular GitHub repos telling people to run YOLO mode without explaining the tradeoffs. They just say, "Run with these parameters, and you're all good, bruh," without any warning about the risks.
I wish they could change the parameter to signify how scary it can be, just like React did with React.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED (https://github.com/reactjs/react.dev/issues/3896)
sandbox-exec isn't really deprecated. It's just a tiny wrapper around some semi-private undocumented APIs, it says that because it's not intended for public use. If it were actually deprecated Apple would have deleted it at some point, or using it would trigger a GUI warning, or it'd require a restricted entitlement.
The reason they don't do that is because some popular and necessary apps use it. Like Chrome.
However, I tried this approach too and it's the wrong way to go IMHO, quite beyond the use of undocumented APIs. What you actually want to do is virtualize, not sandbox.
The sandbox idea seems nice, it's just a question of how annoying it is in practice. For example the "Claude Code on the web" sandbox appears to prevent you from loading `https://api.github.com/repos/.../releases/latest`. Presumably that's to prevent you from doing dangerous GitHub API operations with escalated privileges, which is good, but it's currently breaking some of my setup scripts....
I whitelisted github.com, api.github.com, *.github.com, and it still doesn't seem to work. I suspect they did something specifically for github to prevent the agent from doing dangerous things with your credentials? But I could be wrong.
My approach is to ask Claude to plan anything beyond a trivial change and I review the plan, then let it run unsupervised to execute the plan. But I guess this does still leave me vulnerable to prompt injection if part of the plan is accessing external content
I ran a cost estimate on the project I describe in https://simonwillison.net/2025/Oct/23/claude-code-for-web-vi... - which was covered by my Claude Max account, but I dug through the JSONL log files for that session to try and estimate the cost if I had been using the API.
So, yeah, only tangentially related, but if anyone at Anthropic would see it fit to let Claude loose on their DNS, maybe they can create an MX record for 'email.claude.com'?
That would mean that their, undoubtedly extremely interesting, emails actually get met with more than a "450 4.1.8 Unable to find valid MX record for sender domain" rejection.
I'm sure this is just an oversight being caused by obsolete carbon lifeforms still being in charge of parts of their infrastructure, but still...
a not really related fact. I remember reading some RFC, and the sender should try sending to the server specified in A record if there are no MX records present
This sounds like it's an inbound check, as part of spam prevention, by seeing if the sending domain looks legitimate. There are a whole lot of those that are common that are not covered in RFCs.
This particular post was a talk I gave in person on Tuesday. I have a policy of always writing up my talks, it's a little inconvenient that the one happened to coincide with a busy week for other content.
Telling Claude to solve a problem and walking away isn't a problem you solved. You weren't in the loop. You didn't complete any side quests or do anything of note, you merely watched an AGI work.
This exactly is the part that lots of folks are missing. As programmers in a high level language (C, Rust, Python ..) we were merely guiding the compiler to create code. You could say the compiler/interpreter is more deterministic, but the fact remains the code that is run is 100% not what you wrote, and you're at the mercy of the tool .. which we trust.
Compiled output can change between versions, heck, can even change during runtime (JIT compilation).
The hubris here, which is very short-sighted, is the idea that a. You have very important contributions to make and b. You cannot possibly be replaced.
If you're barely doing anything neither of these things can possibly be true even with current technology.
I don't think anyone would claim that writing a poem yourself and hiring someone to write a poem for you are the same thing.
In the same way, there is a distinct difference form having and encoding the concepts behind a piece of software yourself and having a rough idea of what you want and hiring a bunch of people to work out that conceptualization for you. Contrarily, a compiler or interpreter is just a strict translation of one representation of that conceptualization into another (modulo maybe alterations in one dimension, namely efficiency). It's a completely different dynamic and these snarky analogies are either disingenuous or show that AI boosters understand and reflect on what it is they are really doing far less than the critics.
Since I ended my career as a wage worker and just sell my own software now, automation is great for me. Even before GPT hype I saw the writing on the wall for relying on a salary and got out so that I could own the value of my labor.
I don’t see my customers being able to one-shot their way to the full package of what I provide them anytime soon either. As they gain that capability, I also gain the capability to accelerate what more value I provide them.
I don’t think automation is the cause of your inability to feed and house yourself if it reduces the labor needed by capital. That’s a social and political issue.
Edit:
I have competitors already cloning them with CC regularly, and they spend more than 24h dedicated to it too
If the capability does arrive, that’s why I’m using what I can today to get a bag before it’s too late.
I can’t stop development of automation. But I can help workers organize, that’s more practical.
>I don’t see my customers being able to one-shot their way to the full package of what I provide them anytime soon either
What if they are, or worse? Are you prepared for that?
If you point me towards your products, someone can try to replicate them in 24 hours. Sound good?
Edit: I found it, but your website is broken on mobile. Needs work before it's ready to be put into the replication machine. If you'd like I can do this for you for a small fee at my consulting rate (wink emoji).
I’m not sure what your point is. That I should give up because everything can already be replicated? That I shouldn’t use LLMs to accelerate my work? That I should feel bad for using them?
I'm not scared for me, but I'm definitely worried for some of you. You seem weirdly trusting. What if the thing you're counting on is really not all you think it is? So far I'm about as impressed as I am of the spam in my inbox.
There sure is a lot of it, but the best it can do is fool me into evaluating it like it's a real communication or interaction, only to bounce off the basic hollowness of what's offered. What I'm trying to do it doesn't _do_… I've got stuff that does, for instance leaning into the genetic algorithm, but even then dealing with optimizing fitness functions is very much on me (and is going well, thanks for asking).
Why should I care if AI is marching if it's marching in circles, into a wall, or off a cliff? Maybe what you're trying to do is simply not very good or interesting. It'd be nice if my work could get away with such hollow, empty results but then I wouldn't be interested in it either…
As your response is that for someone to find productivity with this tool, the only way you can understand that to be true is for their work to be hollow and the results uninteresting and must be beneath you, I will simply say about the rest of your message: Skill issue
That way the worst thing that can happen is that you later (accidentally) trust the result of that work.
reply