logoalt Hacker News

codazodayesterday at 10:09 PM7 repliesview on HN

One down-side to this is that it does require you to run the agent on your Mac instead of in a Sandbox. I do this too and there are lots of problems I can't solve in a sandbox. I know a lot of you are throwing your hands up at the years of security practices we're throwing out the window when we do that.

The fact that xAI uploaded someone's home directory, including their SSH keys, is giving me serious pause at my choices here.

Generally, I don't worry about my machine being "blown up". I don't have a TON of unreproducible stuff on my machine. Everything is backed up, committed to git, and the like. I can restore most of it in a couple hours.

That said, I really, really don't want my .SSH directory sent to an AI agent and it's silly to prompt your way around that. You need to block it at the system level. I'm considering a separate user and then 700 permissions on my home directory.

I feel like we're back to 1990's security here. The double-edged sword is that it's helping us get things done at a pace like never before.

I'm not throwing shade here, I'm among the guilty.


Replies

999_cirnoyesterday at 10:52 PM

> require you to run the agent on your Mac instead of in a Sandbox

You don't have to! All recent Macs come with nearly zero perf cost virtualization. You can easily run Mac or Linux VMs assuming same architecture. Use it all the time for development and whatever.

Use Tart [1] or VirtualBuddy [2], both open-source, for a packaged solution. Or in the spirit of this post, vibe code your own wrapper around the OS API [3]

More recently, there are also Apple containers [4]

[1] https://tart.run/

[2] https://github.com/insidegui/VirtualBuddy

[3] https://developer.apple.com/documentation/virtualization

[4] https://github.com/apple/container

gwkingyesterday at 10:31 PM

I've been working on a wrapper harness that runs claude as a separate user named `agent`. I tried this about a year ago and couldn't get it to work because of OAuth and the keychain, but took another pass recently and claude had enough self-knowledge about recent changes to say we could do it with CLAUDE_CODE_OAUTH_TOKEN. It has required building a some tooling around permissions setup with ACLs but it works on macOS today.

In terms of risk, I see it as halfway between stock claude with the sandbox and full-blown container or machine isolation.

I was recently thinking that as Claude's own sandbox gets better I'm doubting the ROI on my belt-and-suspenders project, but your comment reminds me why I'm doing it.

It is not currently published open source but I'm happy to talk about it with strangers.

theredleftyesterday at 11:23 PM

I run my AI headless in a docker container and give it access to git – it can only contribute code - when it needs a secret I put it in a docker container in vault. when it needs infra, it makes me a jira ticket. that's my workflow.

show 1 reply
ghjnutyesterday at 10:41 PM

I've been running my agents in a docker sandbox that automatically mounts the current directory. It's been a bit of a pain to figure out and maintain the set of tools I provision into the sandbox- but it's fun to watch codex go to the ends of the earth trying to figure out solutions using nodejs (the only runtime).

show 1 reply
pianopatrickyesterday at 10:12 PM

You could move your SSH keys onto a password encrypted usb drive that you physically remove from the computer.

show 1 reply
colechristensenyesterday at 10:37 PM

Your sandbox can be a separate Mac user account.

You can also use native Mac VMs.

Many people have created Mac VM projects to do exactly this, I was working on one but was stalled too often because before I started using claude I bought a new laptop with what I KNEW was enough disk space.

The 100 GB or so I need to comfortably do the VM stuff just isn't available on my mac.

fragmedeyesterday at 10:18 PM

On a Mac. Just get a Mac mini. It doesn't have to be a crazy big beefy one, and if you're selling apps, it's a justifiable business expense.