In my last post, I talked about how I only trust Claude Code about as far as I can throw it. Beyond what I linked in my previous post, Simon Willison continues to post stories about coding LLMs exfiltrating data. This is not my area of expertise, but the problems seem significant, and are being mostly glossed over by the LLMs-everywhere-all-the-time crowd.

For my personal use, I have sandboxed Claude Code in a virtual machine. This has the obvious advantage that Claude does not have direct access to most of the stuff in my /home directory. I’ve mounted one shared sub-directory so that I can pass files back and forth between the host and the VM. Also (quite surprisingly), copy and paste works well between the VM’s window and the other stuff on my desktop. Lastly, I can push and pull from tildegit to move around commits or entire repositories.

Anyhow, there is some obvious friction to this workflow. My calculation is that it is worth it to mitigate (what seem to me to be obvious) security risks. I may be quite wrong about all of this. But my assumption is that these technologies are not sufficiently battle-tested, and that we should proceed with caution.