Funnily enough, after the good picture I accidentally pressed my Yubikey, and Gemini took that as instructions. It turned my picture into a scifi woman with long grey hair.

Creating a sanbox profile with (deny default) would be much safer, but it seems quite difficult to get these to work due to surprising dependencies. Start from public profiles: github.com/pansen/macos-sandbox-profiles

There is not a lot of documentation on how to create sandbox profile files. It is relatively easy to start with (allow default), and then remove access to network and your home directory. This might also be required for GUI apps, because the sandbox support does not seem comprehensive.

The downside of running in a Docker container without UI is that Claude can not run a browser, and therefore can not see how Javascript on a page behaves. This could be worked around by creating a whole regular VM for Claude with UI and everything.

Running out of tokens in the middle of flow is both aggravating and anxiety inducing. For example, I was just trying to make it commit the latest changes, but that failed. Will it be able to continue seamlessly tomorrow, or will it continue with a bad state and cause a mess?

I did not experience the issue where you tell an AI to make a small change, and it goes off on a tangent and breaks something else. I might have gotten lucky, or it might be the small app size.

Once the code was overall in a state that I felt was ready, I pushed it from my host. The first version took four days, two hours a day. I estimate that it would have taken me at least 40 hours to do by hand, so at least 80% savings in time.

I found that with the $20/month plan I was able to work for about two hours a day until the tokens run out. I feel this is pretty reasonable, at least with the size of the app I was building (ended up under 10k lines of code). I did not try to minimize token usage in any way.

Once Claude was running, I tried to give it short instructions: create a modern python flask application, add unit tests etc. I let it have access to all the tools and commands it wanted, except git commit. I iterated with the commands until I was happy. Then let it make one commit for the changes.

I hit a bug immediately at Claude startup. It gave me a URL to copy and paste into a browser, where I need to click a button to authorize Claude to run. But that page redirects in less than a second, making it almost impossible to click that button. I need to file a ticket on that.

Even with these precautions, I believe Claude could hack itself out of the container directly, or put a hack in the code it is writing so that when I access it on the host, it would infect my machine. Bit these are still risks I am willing to take at the moment.

I created a Docker container, and installed tools that I believed Claude would need. Claude has no root access, no access to any credentials, and only shares the project directory with the host.

While any use of AI might try to hack things, I believe the risk is the greatest with use of an agent coding for you. The tool makers try to sandbox the AI, but I also wanted additional protection.

Before even getting started using an agent, I wanted to think about security. Per an OpenAI paper (arxiv.org/pdf/2509.04664), hallucinations can not be avoided. This also means that any use of AI might result in it trying to hack your computer, and publishing your secrets.