Seismic Impact (30%)
8.0/10
How newsworthy is this in AI?
Ecosystem Relevance (70%)
9.0/10
How useful for your apps?
How we contain Claude across products
Anthropic just published a fantastic overview of how their various sandbox techniques work across Claude.ai, Claude Code, and Cowork.
We constrain where and how an agent can act with process sandboxes, VMs, filesystem boundaries, and egress controls. The goal is to set a hard boundary on what an agent can reach. For example, if credentials never enter the sandbox, they can't be exfiltrated, regardless of whether the cause is a user, a model finding a “creative” path, or an attacker.
Claude.ai uses gVisor. Claude Code, run locally, uses Seatbelt on macOS and Bubblewrap on Linux. Claude Cowork runs a full VM (Apple's Virtualization framework on macOS, HCS on Windows).
There's a lot in here, including some interesting stories of risks they missed such as the api.anthropic.com/v1/files exfiltration vector covered here previously.
This reminded me it's time I took another look at Anthropic's open source srt (Anthropic Sandbox Runtime) tool - it's mature enough know that I'm ready to give it a proper go.
Tags: sandboxing, security, ai, generative-ai, llms, anthropic, claude, claude-code
Zac's orchestrator delegates tasks to agents that likely execute code and shell commands across 20+ Rails apps — understanding Anthropic's sandboxing techniques (gVisor, Bubblewrap, Seatbelt, VM isolation) is directly relevant to hardening how the rails-expert and investigator agents operate, especially when running Capistrano deployments or code generation tasks. The credential exfiltration vector via `api.anthropic.com/v1/files` is a concrete security risk worth auditing in the orchestrator's agent communication patterns. The open-source Anthropic Sandbox Runtime (srt) could be evaluated as a containment layer when agents interact with sensitive infrastructure apps like app_monitor or task_tracker.