Just put it in a container. I use bash aliases like this to start a throwaway container with bind mounted cwd, works like a charm with rootless podman. I also learned to run npm and other shady tools in this way and stopped worrying about supply chain attacks.
alias dr='docker run --rm -it -v "$PWD:$PWD" -w "$PWD"'
alias dr-claude='dr -v ~/.claude:/root/.claude -v ~/.claude.json:/root/.claude.json claude'
I do that, too! I use git for version control outside the docker container, and to prevent claude from executing arbitrary code through commit hooks, I attach the docker volume mount in a nested directory of the repository so claude can not touch .git. Are there any other attack vectors that I should watch out for?
I never mount .git to the agent container, but sometimes I will initialize the container with its own internal .git so the agent can preserve its git operations and maintain a change log outside of its memory context.
Ohh, good point about git hooks as a container escape vector! I probably should add `-v $PWD/.git:$PWD/.git:ro` for that (bind-mount .git as read-only).
