Drew Gregory warns that running Claude Code inside a sandbox is less about OS‑level confinement and more about controlling network traffic. Anthropic ships a Bash sandbox built on macOS’s sandbox‑exec, while OpenAI’s Codex CLI and Cursor IDE use similar mechanisms. Engineers can also spin up gVisor or Firecracker VMs for stricter isolation.

The provided devcontainer template drops an init‑firewall.sh script that whitelists IPs for npm, Anthropic’s API, Sentry, Statsig, VS Code marketplace and GitHub. Because the rules operate at the IP layer, domain‑fronting and TLS‑agnostic traffic can still slip through, letting a malicious sandbox exfiltrate secrets via SSH, npm packages or GitHub gists. Prompt‑injection attacks have already leveraged such broad allowlists.

Gregory recommends routing all Claude traffic through a local mitmproxy. Setting an HTTP_PROXY variable catches CLI requests, while the sandbox’s httpProxyPort intercepts Bash calls. By supplying a dummy ANTHROPIC_API_KEY and using a mitmproxy add‑on to swap in the real key on egress, developers keep the secret out of the sandbox. The same pattern works for any third‑party credential.