Skip to content

Instantly share code, notes, and snippets.

@MrPink

MrPink/claude-sandbox-gist.md

Last active March 12, 2026 18:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MrPink/f4af6dcd8c593290183d5f56fc8323cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MrPink/f4af6dcd8c593290183d5f56fc8323cd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
claude-sandbox-gist.md

Claude Sandboxed on macOS

Run Claude Code in a secure sandbox with AWS credentials, Kubernetes access, and restricted file scope.

Quick Setup

1. Install dependencies

brew install claude-code agent-safehouse aws-vault git

2. Add to ~/.zshrc

# csb — Claude Sandboxed
csb() { 
  AWS_VAULT=default safehouse --enable=cloud-credentials,kubectl,shell-init \
    --workdir=~/git/work/il -- claude --dangerously-skip-permissions "$@"
}

Note: Replace ~/git/work/il with your project directory.

3. Reload and test

source ~/.zshrc
csb

How It Works

csb() sets up a sandboxed Claude session with:

  • AWS_VAULT=default - Access to AWS credentials from Keychain via aws-vault
  • safehouse --enable=... - Enables specific features:
    • cloud-credentials - AWS access
    • kubectl - Kubernetes CLI access
    • shell-init - Shell startup files (git, tools, etc.)
  • --workdir=~/git/work/il - Restricts file access to this directory only
  • --dangerously-skip-permissions - Skips permission prompts for smooth operation

Usage

# Start interactive session
csb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment