(Almost) Vulnerability:

• Remote and arbitrary code execution

• Arbitrary file exfiltration

That’s what it does by design. Claude has the ability to read any files on your disk and execute any code that a remote LLM decides is a good idea. They call this “claude-cli”. And while it probably takes the title for my favorite use case of remote code execution, I think we should take the security implications of it seriously.

Solution

Introducing claude-podman finally you don’t have to trust Bezos and Google! Claude podman runs claude code in a rootless podman container which

• Limits the file access of claude-code to

  • The current working directory

  • The claude configuration files

• Limits code execution to node:current-alpine

As a rootless container running as non-root user, claude-podman is a maximally secure way of running claude-code within a container: claude-code can’t even self-update! Even if it gets root, it’s still in a container. And even if it breaks out of the container it only has access to running as a regular process which makes it no more risky than it’s normal deployment mode which everyone except the elite few is likely using.

Find the repo here: https://github.com/EvanCarroll/claude-podman