Skillget

ClaudeCage

agent
Guvenlik Denetimi
Basarisiz
Health Gecti
  • License — License: AGPL-3.0
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 142 GitHub stars
Code Basarisiz
  • rm -rf — Recursive force deletion command in build.sh
Permissions Gecti
  • Permissions — No dangerous permissions requested
Purpose
This tool packages the official Claude Code CLI into a portable, sandboxed executable for Linux. It restricts the AI agent's access to only the current project directory using container isolation, preventing it from reading sensitive personal files.

Security Assessment
The core promise of this tool is enhanced security through sandboxing. It intentionally restricts access to the host filesystem and network, which is a positive design choice. However, there are important caveats to consider. First, a rule-based scan flagged a `rm -rf` recursive force deletion command inside `build.sh`. While this is common in build scripts to clean up temporary directories, it requires manual review to ensure it does not accidentally target unintended system paths. Second, the tool bundles a closed-source, obfuscated JavaScript CLI. You are inherently trusting Anthropic's official code, but this wrapper adds an extra layer of unofficial packaging around it. There are no hardcoded secrets or dangerous permissions requested. Overall risk: Medium.

Quality Assessment
The project is actively maintained and recently updated. It uses the standard AGPL-3.0 license and has garnered positive community attention, reflected in 142 GitHub stars. That said, the tool's compatibility with various command-line interfaces is currently listed as unknown. Additionally, the developer notes that Claude Code now natively supports sandboxing and high-performance runtimes. This means the primary advantages of this third-party tool may diminish as official features catch up.

Verdict
Use with caution. The sandboxing concept is solid and useful, but you should review the `rm -rf` command in the build script before executing it, and keep in mind that official Claude Code features may soon make this third-party wrapper unnecessary.
SUMMARY

Claude Code running in sandbox. Packed as single portable executable with no dependency. Has better performance than official version.

README.md

[!note]

Claude Code now officially supports bun runtime and bwrap-based sandbox. It is recommended to use these native features. ClaudeCage might still work.

Build and Release

Run the SOTA AI coding agent in a portable, secure sandbox.

Claude Code is a state-of-the-art AI coding assistant. Unfortunately, its CLI is distributed as closed-source and obfuscated javascript. You don't know what it's doing. Is it reading your SSH keys? Is it indexing your photos? Is it planning some Skynet world domination from your ~/Downloads folder?

Probably not... but why risk it?

ClaudeCage solves this by packaging the Claude Code CLI into a fully isolated, single-file container. It cannot access any part of your system except for the single project directory you are currently working in.

Breaking change: the build output is now named claude (plus claude.rcfg), so it can act as a drop-in replacement for the original claude CLI (but sandboxed).

Features

  • Secure Sandbox: Powered by Linux namespaces, the claude process is heavily restricted and cannot access your home directory, network information, or other processes.
  • Single-File Portability: The entire environment—the claude binary, the bun runtime, and all dependencies—is packed into a single executable file. Download it, make it executable, and run it.
  • No Host Dependencies: You do not need node, bun, or anything else installed on your system.
  • Works on Most Linux Distros: Runs on virtually any modern Linux distribution.
  • Better Performance: Runs at native speed. It runs even faster than official Claude Code thanks to the modern high performance javascript runtime: bun.
  • Custom API Support: Easily configure it to use custom API endpoints, including OpenAI proxies.
  • Host Toolchain Access (Read-only): By default, common system directories (like /usr, /etc, /opt) are mounted read-only so Claude can use your existing compilers/tools without being able to modify them.

How It Works

ClaudeCage is built using the RunImage project, which leverages Bubblewrap to create lightweight, unprivileged containers. This project provides a simple build script to automate the creation of a custom RunImage container specifically for Claude Code.

Usage

1. Get ClaudeCage

Download pre-built binary

Download claude binary and claude.rcfg config file, copy both files to a location in your ${PATH}, like ~/.local/bin/.

Build from Source

First, clone the repository. The build script has no dependencies other than curl and standard coreutils.

git clone https://github.com/your-username/ClaudeCage.git
cd ClaudeCage
./build.sh

The script will download the necessary components and create two files in the current directory:

  • claude: The portable executable.
  • claude.rcfg: The sandbox configuration file.

2. Run ClaudeCage

Move both the claude executable and the .rcfg file to a location in your ${PATH}, like ~/.local/bin/.

mv claude claude.rcfg ~/.local/bin/

Now, you can use it just like the regular claude command. Navigate to any project directory and run it. It will only have access to that directory.

cd /path/to/my/awesome-project
claude "Refactor this function to be more efficient." # Claude now has access to this directory only

Avoiding conflicts with your original claude

Because the output is named claude, installing it into your ${PATH} will likely override your original claude. (Not necessarily replace, as the recommendation is put claude and claude.rcfg in ~/.local/bin instead of /usr/bin.)

If you want to keep both, rename the pair to the same basename (the .rcfg must match the executable name):

mv claude claude-cage
mv claude.rcfg claude-cage.rcfg
./claude-cage "Hello from sandbox"

Configuration

Sandbox mounts & isolation (default)

You can edit claude.rcfg to customize what the sandbox can see. The default config is designed to be usable out-of-the-box while keeping sensitive host data out.

Persisted Claude state (host):

  • On startup, the config ensures these exist on the host (created if missing):
    • ${HOME}/.claude/ (mode 700)
    • ${HOME}/.claude.json (mode 600)
  • Then it bind-mounts them into the sandbox (so your login/config/history persist across runs):
    • ${HOME}/.claude.json (read-write)
    • ${HOME}/.claude/ (read-write)

Project directory:

  • The current working directory is bind-mounted into the sandbox (so Claude can read/write your project).
  • The command starts in the same working directory.

Host system/tooling (read-only):

  • Common paths are mounted read-only so Claude can invoke host tools:
    • /usr, /opt, /etc
    • And, if present: /lib, /lib64, /bin, /sbin

SSH (safe-by-default):

  • If SSH_AUTH_SOCK is set, ClaudeCage forwards only the agent socket into the sandbox (no direct access to your ${HOME}/.ssh by default).
  • If you really need host SSH keys/config inside the sandbox (less secure), you can opt in:
CLAUDECAGE_ALLOW_SSH_KEYS=1 claude "Clone and inspect this repo."

Extra isolation knobs enabled by default:

  • Additional unshares are enabled (like DBus, XDG runtime, X11 tmp socket), in addition to PIDs/users/hostname/tmp.

Use other model providers easily (via Claude Code Router)

If you want to route Claude Code requests to other providers/models (OpenRouter, DeepSeek, Ollama, Gemini, etc.), use the external project Claude Code Router:

This is not part of ClaudeCage. Please refer to its README for full configuration details.

Minimal usage:

npm install -g @musistudio/claude-code-router
ccr code

Because ClaudeCage installs a claude binary into your ${PATH} (drop-in replacement), when Claude Code Router runs claude, it will automatically invoke the sandboxed ClaudeCage claude.

Custom API Endpoints & Proxies

claude-code-router ccr code auto configures env variables and invokes Claude Code. If you like the manual way or don't want to use claude-code-router, you can make Claude Code use a custom API endpoint by setting the following environment variables before running ClaudeCage:

export ANTHROPIC_BASE_URL="http://localhost:3456/"
export ANTHROPIC_AUTH_TOKEN="not-needed-when-using-local-proxy"
export ANTHROPIC_MODEL="anthropic/claude-sonnet-4"
export ANTHROPIC_SMALL_FAST_MODEL="google/gemini-2.0-flash"

claude "What is the capital of Nebraska?"

See the official claude-code settings documentation for more details.

Acknowledgements

This project would be impossible without the fantastic work of the following open-source tools:

  • RunImage for making single-file, portable Linux containers a reality.
  • Bubblewrap for providing the low-level sandboxing technology.
  • Bun as modern, high performance, node.js-compatible javascript runtime.
  • claude-code-router (external) for routing Claude Code requests to multiple model providers.

Yorumlar (0)

Sonuc bulunamadi