Just put it in a container. I use bash aliases like this to start a throwaway container with bind mounted cwd, works like a charm with rootless podman. I also learned to run npm and other shady tools in this way and stopped worrying about supply chain attacks.
alias dr='docker run --rm -it -v "$PWD:$PWD" -w "$PWD"'
alias dr-claude='dr -v ~/.claude:/root/.claude -v ~/.claude.json:/root/.claude.json claude'I do that, too! I use git for version control outside the docker container, and to prevent claude from executing arbitrary code through commit hooks, I attach the docker volume mount in a nested directory of the repository so claude can not touch .git. Are there any other attack vectors that I should watch out for?
I never mount .git to the agent container, but sometimes I will initialize the container with its own internal .git so the agent can preserve its git operations and maintain a change log outside of its memory context.
Same, I containerize all of my dev envs.
I really struggle to understand how this isn't common best practice at this point.
Especially when it comes to agents and anything node related.
Claude is distributed as an npm global, so doubly true.
Takes about 5 minutes to set this up.
I had the same setup that I posted about a few months back[1], and then I migrated all of it into a single tool[2] for ease of use.