How we contain Claude across products
Anthropic documents the sandboxing approaches used across Claude.ai, Claude Code, and Cowork.
Anthropic explains how process sandboxes, VMs, filesystem boundaries, and egress controls limit what Claude agents can access. Claude.ai uses gVisor; local Claude Code uses Seatbelt on macOS and Bubblewrap on Linux; Cowork runs in a full VM. Simon Willison highlights the documentation quality, notes a previously missed file-exfiltration path, and plans to revisit Anthropic's open-source srt tool.
Simon Willison has long followed the topic of sandbox security for AI agents. He notes that many products offering isolated environments lack complete documentation; if developers cannot understand the actual boundaries, it is difficult to judge whether these tools can be trusted. This time, Anthropic has published a technical overview that openly explains the isolation methods used by Claude.ai, Claude Code, and Cowork, and for this it earns his approval.
Free shows the 3-line summary; Pro unlocks the full deep summary (~300 words) so you never have to click through.
See Pro plans →Want the original English / full article?
Read on Simon Willison's Weblog →Related
Summaries are AI-generated; the original article is authoritative.