Summary

Claude Code running inside Claude Desktop operates in a sandboxed environment with filesystem and network isolation. This is why globally installed CLI tools (like lattice, custom bun packages, etc.) may not be accessible.

How the Sandbox Works

OS-Level Enforcement

  • macOS: Uses Seatbelt sandbox enforcement
  • Linux: Uses bubblewrap for isolation
  • All child processes inherit the same security boundaries

Filesystem Restrictions

Access TypeScope
Write accessCurrent working directory and subdirectories only
Read accessEntire computer (except denied directories)
BlockedModifications outside working directory

This means:

  • Globally installed binaries in /usr/local/bin, ~/.bun/bin, etc. may not be in PATH
  • Custom CLI tools installed outside the project directory are inaccessible
  • System-level configurations are protected

Network Restrictions

  • Only approved domains are accessible
  • New domain requests trigger permission prompts
  • A proxy server enforces domain restrictions
  • All scripts and subprocesses inherit these restrictions

Common Issues

1. CLI Tools Not Available

Problem: Tools like lattice, globally installed npm/bun packages, or custom CLIs don’t work.

Why: The sandbox restricts access to directories outside the working directory, including global bin directories.

Workarounds:

  • Install tools locally within the project: bun add @zabaca/lattice (not globally)
  • Use npx to run packages without global install
  • Add the tool as a project dependency

2. Starting Local Web Services

Problem: Starting a server on localhost:3000 but can’t access it.

Why: Network isolation may restrict binding or accessing localhost ports.

Workarounds:

  • The sandbox does allow localhost access for development
  • Ensure the port is in the allowed list
  • Check if network proxy settings are blocking

3. Docker Commands Fail

Problem: Docker commands don’t work inside sandbox.

Why: Docker is explicitly incompatible with the sandbox.

Solution: Add docker to excludedCommands in sandbox settings to run outside sandbox.

Configuration

Sandbox Settings (settings.json)

{
  "sandbox": {
    "allowedPaths": ["/path/to/allow"],
    "deniedPaths": ["/path/to/deny"],
    "allowedHosts": ["api.example.com"],
    "excludedCommands": ["docker"],
    "allowUnsandboxedCommands": true
  }
}

Disabling Sandbox for Specific Commands

Claude Code has an escape hatch:

  • Failed sandbox commands can retry with dangerouslyDisableSandbox
  • These go through normal permission flow
  • Disable with "allowUnsandboxedCommands": false

Sandbox Modes

ModeBehavior
Auto-allowCommands automatically run in sandbox without prompts; restricted access falls back to permission flow
Regular permissionsAll commands go through standard permission flow

Enable via /sandbox command.

Security Benefits

The sandbox protects against:

  • Prompt injection attacks - malicious instructions can’t escape boundaries
  • Malicious dependencies - compromised npm packages can’t access system
  • Data exfiltration - network restrictions prevent sending data to unauthorized servers
  • System compromise - can’t modify critical configs like ~/.bashrc

Limitations

  1. Network filtering - Only filters domains, not traffic content
  2. Domain fronting - Possible bypass via broad domains like github.com
  3. Unix sockets - allowUnixSockets can grant dangerous access (e.g., Docker socket)
  4. Performance - Minimal overhead, some filesystem operations slightly slower

Open Source Runtime

The sandbox is available as an open-source package:

Terminal window
npx @anthropic-ai/sandbox-runtime <command-to-sandbox>

Can sandbox MCP servers:

Terminal window
npx @anthropic-ai/sandbox-runtime <mcp-server-command>

GitHub: https://github.com/anthropic-experimental/sandbox-runtime

Using —dangerously-skip-permissions in Claude Desktop

Short answer: No, Claude Desktop does not support --dangerously-skip-permissions.

This flag is a CLI-only feature for the standalone Claude Code terminal application. Claude Desktop has its own permission model that works differently.

CLI vs Desktop Comparison

FeatureClaude Code CLIClaude Desktop
--dangerously-skip-permissionsSupportedNot available
Sandbox configurationFull control via settings.jsonLimited/managed by app
Global tool accessConfigurableSandboxed by default

Workarounds for Claude Desktop

  1. Use standalone Claude Code CLI - Run claude directly in terminal for full control
  2. Configure allowed tools - More granular than skip-permissions:
    Terminal window
    claude config set allowedTools "Bash(git:*),Write,Read"
  3. Add project-local dependencies - Install tools in project instead of globally

Why This Limitation Exists

Claude Desktop is designed for general users, not just developers. The sandbox provides:

  • Protection against prompt injection attacks
  • Safety for non-technical users
  • Consistent security model across all users

For power users who need full control, the standalone Claude Code CLI is the intended solution.

Sources

  1. Claude Code Sandboxing Documentation
  2. Anthropic Engineering: Making Claude Code More Secure
  3. Claude Blog: Beyond Permission Prompts
  4. Claude Code Settings Documentation
  5. dangerously-skip-permissions Safe Usage Guide