Sandboxing AI agents¶

Running agentic AI (like Claude Code, for example) on your local machine seems a little risky since the agent could conceivably gain access to private data, system files, etc. There are a few options to confine the AI agent to a "sandbox," which could be something like a Docker container or virtual machine (VM). A virtual machine is a little more isolated from the local system, so that is what I use.

Using Multipass with an AI coding agent¶

Multipass is a lightweight VM orchestrator from Canonical that runs in MacOS, Windows, and Linux. You can use Multipass to set up Ubuntu VMs from the commandline in a fairly frictionless way on your local host machine (your laptop, for example). You then install the AI coding agent of your choice in this VM so it only has access to that system. Here we are using Claude Code as the example, but this could work equally well with OpenCode or other big-name commercial LLM environments like Codex and Gemini CLI.

On Mac I install with

brew install multipass

, but this would be different for Windows or Linux. Once it is installed, you can start the GUI if you want, or just use the commandline interface to spin up VMs. Here is how to start a VM for Claude to work in.

multipass launch --name claude-sandbox --disk 20G --memory 4G

It takes just a minute to spin up the VM, then you can enter the shell and explore.

multipass shell claude-sandbox

There isn't much there - Multipass just creates an Ubuntu Linux installation with a few things installed, and your shell will be in the home directory of the ubuntu user. If you want to mount a local directory on your host machine to the new VM you can do that from the host shell. For example, you could mount your home directory to the claude-sandbox VM.

multipass mount $HOME claude-sandbox

If you now run multipass info claude-sandbox you'll see the mount listed. The home directory is mounted at /home/ubuntu/username, and you'll find it there if you are logged into the claude-sandbox VM's shell. You probably want to be careful about what parts of your local filesystem you mount in the VM!!! Claude, or you, can read, edit and delete things on the host filesystem once it is mounted in the VM. You can pass the --read-only option during mounting to prohibit write access. To unmount a local directory just use multipass umount.

multipass umount claude-sandbox:/home/ubuntu/username

Once your environment is set up and you are in the shell of your VM, you'll want to install Claude Code.

curl -fsSL https://claude.ai/install.sh | bash

Occasionally there are some install issues with Claude. See the Anthropic troubleshooting docs if something comes up. You'll probably also be prompted to add the newly installed claude to your bash path:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc

From here, start claude, follow the prompts to connect Claude to your Anthropic account, and away you go.

Preparing your environment first¶

One thing to note is that, if your AI workflow is actually "agentic", the AI agent will be writing and then running code in the VM sandbox you have created. Most likely that will require some developer tools that the agent can use, like Python, R, or a database. A few things are installed by default in the VM you just created, but not much. You can have the agent install what you need, but that can consume quite a few tokens, so if you already know what you want the agent to use and build with you may want to just install the basic software environment it needs first. See the VM setup guide for some easy ways to do this. You could also provide the agent with a simple script of tools to install.