> At a bare minimum, the agent must have the ability to: read files, execute programs, and make HTTP requests.
That's one very short step removed from Simon Willison's lethal trifecta.
> At a bare minimum, the agent must have the ability to: read files, execute programs, and make HTTP requests.
That's one very short step removed from Simon Willison's lethal trifecta.
I will say one thing Claude does is it doesn't run a command until you approve it, and you can choose between a one-time approval and always allowing a command's pattern. I usually approve the simple commands like `zig build test`, since I'm not particularly worried about the test harness. I believe it also scopes file reading by default to the current directory.
A lot of people run the claude with --dangerously-skip-permissions
This is why I won't run Claude without additional sandboxing. I'm currently using (and quite pleased with) https://github.com/strongdm/leash
I'm definitely not running that on my machine.
The way this is generally implemented is that agents have the ability to request a tool use. Then you confirm "yes, you may run this grep".
Same, but I felt okay sticking my code base in a VM and then letting an agent run there. I’d say it worked well