cli-sandbox
skill
Warn
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Warn
- process.env — Environment variable access in force-tty.js
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool provides a Docker-based sandbox environment to run AI coding assistants like Claude, Gemini, and Codex. It uses internal iptables firewalls to restrict network access, preventing the AI tools from making unauthorized outbound connections while working on your codebase.
Security Assessment
Overall Risk: Low to Medium. The tool accesses environment variables (terminal size, git configuration) but only passes them into the container to ensure proper display and git commit attribution. It does not request dangerous host permissions. However, running the container requires granting `NET_ADMIN` and `NET_RAW` capabilities. While these are necessary for the tool to configure its internal firewall, they are elevated Linux privileges. The source code is heavily derived from Anthropic's official Claude Code devcontainer and relies on standard shell commands rather than obfuscated or high-risk execution. There are no hardcoded secrets or malicious payloads detected.
Quality Assessment
Maintenance: Actively maintained, with repository updates as recent as today.
License and Community: Notable concerns exist here. The repository lacks an explicit license file, which means strict copyright applies by default and limits legal reuse. Furthermore, the project has low visibility (only 5 GitHub stars), meaning it has not been widely vetted by the broader developer community.
Verdict
Use with caution. The concept is secure and relies heavily on official Anthropic foundations, but the project's utility should be weighed against its lack of a formal software license and minimal community validation.
This tool provides a Docker-based sandbox environment to run AI coding assistants like Claude, Gemini, and Codex. It uses internal iptables firewalls to restrict network access, preventing the AI tools from making unauthorized outbound connections while working on your codebase.
Security Assessment
Overall Risk: Low to Medium. The tool accesses environment variables (terminal size, git configuration) but only passes them into the container to ensure proper display and git commit attribution. It does not request dangerous host permissions. However, running the container requires granting `NET_ADMIN` and `NET_RAW` capabilities. While these are necessary for the tool to configure its internal firewall, they are elevated Linux privileges. The source code is heavily derived from Anthropic's official Claude Code devcontainer and relies on standard shell commands rather than obfuscated or high-risk execution. There are no hardcoded secrets or malicious payloads detected.
Quality Assessment
Maintenance: Actively maintained, with repository updates as recent as today.
License and Community: Notable concerns exist here. The repository lacks an explicit license file, which means strict copyright applies by default and limits legal reuse. Furthermore, the project has low visibility (only 5 GitHub stars), meaning it has not been widely vetted by the broader developer community.
Verdict
Use with caution. The concept is secure and relies heavily on official Anthropic foundations, but the project's utility should be weighed against its lack of a formal software license and minimal community validation.
claude, codex, gemini, opencode CLI sandbox docker container
README.md
cli-sandbox
Run claude, codex, gemini or opencode in a docker container.
iptables is used inside the container to block all outbound traffic except GitHub, Anthropic, and Google Cloud internal IPs.
Requirements
- docker
- Need to pass
--cap-add=NET_ADMIN --cap-add=NET_RAWto thedocker runcommand for this image to configure the firewall
- Need to pass
- You will need to mount the codebase you want to work on inside the container
- To persist your auth and settings for gemini and claude, you'll want to mount those directories into
/home/node(see usage below)
Usage
CODE_CLI=claude
cd /path/to/codebase
docker run \
-v $HOME/.$CODE_CLI:/home/node/.$CODE_CLI \
--cap-add=NET_ADMIN --cap-add=NET_RAW \
-v ./:/workspace \
-w /workspace \
--rm -it \
ghcr.io/libops/cli-sandbox:main \
"$CODE_CLI"
# chit chat
alias
With the following in your shell's dot file, you can
cd path/to/code
gemini
And you’ll get dropped into a sandbox’d docker container with the respective CLI with firewall protection and no host filesystem access besides the claude/gemini settings dir and the codebase mounted into the container. Be sure to uninstall claude or gemini from your machine to avoid conflicts.
ccli() {
if [ "$#" != 1 ]; then
echo "Need to pass gemini or claude"
return
fi
local cli=$1
if [ "$cli" != "opencode" ] && [ "$cli" != "codex" ] && [ "$cli" != "claude" ] && [ "$cli" != "gemini" ]; then
echo "Need to pass opencode, codex, gemini, or claude"
return
fi
if [ "$(pwd)" = "$HOME" ]; then
echo "You should cd into your codebase"
echo "Running this command here would mount your entire home directory into $cli"
return
fi
local git_name=$(git config --global user.name)
local git_email=$(git config --global user.email)
docker run \
-v $HOME/.$cli:/home/node/.$cli \
--cap-add=NET_ADMIN --cap-add=NET_RAW \
-e COLUMNS=$(tput cols) \
-e LINES=$(tput lines) \
-e GIT_AUTHOR_NAME="$git_name" \
-e GIT_AUTHOR_EMAIL="$git_email" \
-e GIT_COMMITTER_NAME="$git_name" \
-e GIT_COMMITTER_EMAIL="$git_email" \
-v ./:/workspace \
-w /workspace \
--rm -it \
ghcr.io/libops/cli-sandbox:main \
"$cli"
}
gemini() {
ccli gemini
}
claude() {
ccli claude
}
codex() {
ccli codex
}
opencode() {
ccli opencode
}
Attribution
Dockerfileandinit-firewall.shforked from anthropics/claude-code. Added gemini support and installedgo. Also changed the firewall to allow access to google internal IPsdownload.shcopied from islandora-devops/isle-buildkit
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found