What about Claude Code on macOS?

Claude Code's macOS build uses a companion app with HMAC-signed Unix socket IPC, so approvals show up as a system notification. On Linux the companion does not exist yet, so chat forwarding is the only safe channel.

How long does it take to lock down an AI agent?

About 25 minutes if you copy the configs: 10 for the systemd drop-in, 10 for the allowlist, 5 for Signal. Spend 7 more days tuning the allowlist before trusting autonomous runs.

Is sandboxing AI agents necessary on macOS?

Yes, though your tools are weaker. Use sandbox-exec with a profile denying file-write* and network-outbound outside an explicit allowlist, run the agent under a dedicated user account (the sandvault pattern), and route approvals to your phone. macOS TCC alone is not enough.

Can prompt injection bypass these permissions?

Prompt injection cannot bypass kernel namespaces. It can absolutely bypass approval prompts shown in the same terminal as the attack output. That is the point of the Signal channel: the approval string lives somewhere the attacker cannot rewrite.

What is the difference between Claude Code permissions and OpenClaw exec.approvals?

Claude Code permissions match tool calls and arguments at the agent layer. OpenClaw exec.approvals matches resolved binary paths at the gateway layer. For tightest defense use both: argument matching at the agent, binary matching at the gateway.

Should I run my agent in Docker or Podman?

For a single agent on a personal box, a hardened systemd unit gives you 80% of the value with 20% of the pain. Move to Podman rootless at 3+ agents for per-agent UID isolation. See agent tooling for setups that scale.

Agent Permissions Playbook: Sandbox Your AI

AI DECK

גלו כלים

נבחר על ידי מומחים

חינם לנצח

מצאו תוך 30 שניות

מתעדכן יומית

Agent Permissions Playbook: Sandbox Your AI | AI Deck