# Add to your Claude Code skills
git clone https://github.com/PACHAKUTlQ/ClaudeCage
README.md
Run the SOTA AI coding agent in a portable, secure sandbox.
Claude Code is a state-of-the-art AI coding assistant. Unfortunately, its CLI is distributed as closed-source and obfuscated javascript. You don't know what it's doing. Is it reading your SSH keys? Is it indexing your photos? Is it planning some Skynet world domination from your ~/Downloads folder?
Probably not... but why risk it?
ClaudeCage solves this by packaging the Claude Code CLI into a fully isolated, single-file container. It cannot access any part of your system except for the single project directory you are currently working in.
Breaking change: the build output is now named claude (plus claude.rcfg), so it can act as a drop-in replacement for the original claude CLI (but sandboxed).
Features
Secure Sandbox: Powered by Linux namespaces, the claude process is heavily restricted and cannot access your home directory, network information, or other processes.
Single-File Portability: The entire environment—the claude binary, the bun runtime, and all dependencies—is packed into a single executable file. Download it, make it executable, and run it.
No Host Dependencies: You do not need node, , or anything else installed on your system.
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
183,625
anthropic-claude
bubblewrap
bun
claude
claude-code
claude-desktop
coding
container
linux
namespace
sandbox
security
vibe-coding
bun
Works on Most Linux Distros: Runs on virtually any modern Linux distribution.
Better Performance: Runs at native speed. It runs even faster than official Claude Code thanks to the modern high performance javascript runtime: bun.
Custom API Support: Easily configure it to use custom API endpoints, including OpenAI proxies.
Host Toolchain Access (Read-only): By default, common system directories (like /usr, /etc, /opt) are mounted read-only so Claude can use your existing compilers/tools without being able to modify them.
How It Works
ClaudeCage is built using the RunImage project, which leverages Bubblewrap to create lightweight, unprivileged containers. This project provides a simple build script to automate the creation of a custom RunImage container specifically for Claude Code.
Usage
1. Get ClaudeCage
Download pre-built binary
Download claude binary and claude.rcfg config file, copy both files to a location in your ${PATH}, like ~/.local/bin/.
Build from Source
First, clone the repository. The build script has no dependencies other than curl and standard coreutils.
git clone https://github.com/your-username/ClaudeCage.git
cd ClaudeCage
./build.sh
The script will download the necessary components and create two files in the current directory:
claude: The portable executable.
claude.rcfg: The sandbox configuration file.
2. Run ClaudeCage
Move both the claude executable and the .rcfg file to a location in your ${PATH}, like ~/.local/bin/.
mv claude claude.rcfg ~/.local/bin/
Now, you can use it just like the regular claude command. Navigate to any project directory and run it. It will only have access to that directory.
cd /path/to/my/awesome-project
claude "Refactor this function to be more efficient." # Claude now has access to this directory only
Avoiding conflicts with your original claude
Because the output is named claude, installing it into your ${PATH} will likely override your original claude. (Not necessarily replace, as the recommendation is put claude and claude.rcfg in ~/.local/bin instead of /usr/bin.)
If you want to keep both, rename the pair to the same basename (the .rcfg must match the executable name):
mv claude claude-cage
mv claude.rcfg claude-cage.rcfg
./claude-cage "Hello from sandbox"
Configuration
Sandbox mounts & isolation (default)
You can edit claude.rcfg to customize what the sandbox can see. The default config is designed to be usable out-of-the-box while keeping sensitive host data out.
Persisted Claude state (host):
On startup, the config ensures these exist on the host (created if missing):
${HOME}/.claude/ (mode 700)
${HOME}/.claude.json (mode 600)
Then it bind-mounts them into the sandbox (so your login/config/history persist across runs):
${HOME}/.claude.json (read-write)
${HOME}/.claude/ (read-write)
Project directory:
The current working directory is bind-mounted into the sandbox (so Claude can read/write your project).
The command starts in the same working directory.
Host system/tooling (read-only):
Common paths are mounted read-only so Claude can invoke host tools:
/usr, /opt, /etc
And, if present: /lib, /lib64, /bin, /sbin
SSH (safe-by-default):
If SSH_AUTH_SOCK is set, ClaudeCage forwards only the agent socket into the sandbox (no direct access to your ${HOME}/.ssh by default).
If you really need host SSH keys/config inside the sandbox (less secure), you can opt in:
CLAUDECAGE_ALLOW_SSH_KEYS=1 claude "Clone and inspect this repo."
Extra isolation knobs enabled by default:
Additional unshares are enabled (like DBus, XDG runtime, X11 tmp socket), in addition to PIDs/users/hostname/tmp.
Use other model providers easily (via Claude Code Router)
If you want to route Claude Code requests to other providers/models (OpenRouter, DeepSeek, Ollama, Gemini, etc.), use the external project Claude Code Router:
Because ClaudeCage installs a claude binary into your ${PATH} (drop-in replacement), when Claude Code Router runs claude, it will automatically invoke the sandboxed ClaudeCage claude.
Custom API Endpoints & Proxies
claude-code-router ccr code auto configures env variables and invokes Claude Code. If you like the manual way or don't want to use claude-code-router, you can make Claude Code use a custom API endpoint by setting the following environment variables before running ClaudeCage:
export ANTHROPIC_BASE_URL="http://localhost:3456/"
export ANTHROPIC_AUTH_TOKEN="not-needed-when-using-local-proxy"
export ANTHROPIC_MODEL="anthropic/claude-sonnet-4"
export ANTHROPIC_SMALL_FAST_MODEL="google/gemini-2.0-flash"
claude "What is the capital of Nebraska?"
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
