Please post when it breaks something important so we can laugh at you.

If you don't impose some kind of sandboxing, how can you put an upper bound on the level of "pain"? What if the agent leaked a bunch of sensitive information about your biggest customer, and they fired you?

At least put it in a container, you savage.

This feels like the new version of not using version control or never making backups of your production database. It’ll be fine until suddenly it isn’t.

Likewise. I’ll regret it but I certainly won’t be complaining to the Internet that it did what I told it to (skip permission checks, etc.). It’s a feature, not a bug.

I do to. Except I can't be burnt since I start each claude in a separate VM.

I have a script which clones a VM from a base one and setups the agent and the code base inside.

I also mount read-only a few host directories with data.

I still have exfiltration/prompt injection risks, I'm looking at adding URL allow lists but it's not trivial - basically you need a HTTP proxy, since firewalls work on IPs, not URLs.