Comment by vbezhenar

I'm using qemu VM. This VM has Internet access (that's the biggest risk, I guess, that claude can just upload things somewhere). If I want it to work with github, I create token restricted to repository with read or read/write access. But I prefer for it to not push, but just commit, then I can fetch these commits via ssh from VM, check log and push it myself.

I thought about just running claude in container, but it feels a bit weak. Too many Linux vulnerabilities around. Probably these fears are unfounded, but I feel safer running untrusted stuff in qemu VM.