skillsSource-backedReview first Safety ✓ Privacy ✓
Claude Code Sandboxed Bash Policy Capability Pack Skill
Expert Claude Code sandboxed bash policy capability pack applying documented /sandbox enablement, filesystem and network boundaries, autoAllowBashIfSandboxed review, and fail-closed settings for autonomous shell workflows.
HarnessClaude CodeCodexWindsurfGeminiCursorCLI
Level:expertType:capability-packVerified:validated
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- Sandboxing reduces blast radius but does not replace human review of diffs.
- autoAllowBashIfSandboxed auto-approves some sandboxed commands—pair with deny rules.
- Missing dependencies can disable sandbox silently unless fail-closed settings apply.
- Network allowlists still permit egress to listed domains—document allowed hosts.
Privacy notes
- Sandbox logs and permission prompts may capture command text and paths.
- Allowed write paths may include files with secrets—keep credentials out of sandbox scope.
- Policy summaries for external auditors should omit internal hostnames when possible.
Prerequisites
- Claude Code on macOS, Linux, or WSL with sandbox dependencies installable.
- Permission to edit project or managed settings.json sandbox blocks.
- Inventory of bash commands agents run in CI and local workflows.
- Security stakeholder for production repository policy sign-off.
Schema details
- Install type
- package
- Reading time
- 9 min
- Difficulty score
- 77
- Troubleshooting
- Yes
- Breaking changes
- No
Source repository stats
- Scope
- Source repo
Package metadata
Skill and platform metadata
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-16
Retrieval sources
https://code.claude.com/docs/en/sandboxinghttps://code.claude.com/docs/en/permissionshttps://code.claude.com/docs/en/settingshttps://code.claude.com/docs/en/skillshttps://github.com/anthropics/claude-codehttps://developers.google.com/search/docs/fundamentals/creating-helpful-content
Tested platforms
Claude CodeClaudeCursorGeneric AGENTS
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
# Trigger
"Apply the Claude Code sandboxed bash policy capability pack for this project."
# Required output
1) Sandbox dependency and /sandbox status checklist
2) Filesystem and network boundary recommendations
3) autoAllowBashIfSandboxed risk review
4) Fail-closed and rollback plan
5) Privacy-safe policy summaryAbout this resource
Knowledge Freshness
Grounded in Claude Code sandboxing, permissions, and settings documentation
verified on 2026-06-16. Sandbox defaults and dependency checks change with
releases; verify /sandbox after upgrades.
Retrieval Sources
- https://code.claude.com/docs/en/sandboxing
- https://code.claude.com/docs/en/permissions
- https://code.claude.com/docs/en/settings
- https://code.claude.com/docs/en/skills
- https://github.com/anthropics/claude-code
- https://developers.google.com/search/docs/fundamentals/creating-helpful-content
Source Verification Notes
Verified against official sandboxing documentation on 2026-06-16:
- Sandboxed bash isolates filesystem and network access with configurable boundaries.
/sandboxreports dependency status and configuration health.- Settings support fail-closed behavior when sandbox dependencies are unavailable.
autoAllowBashIfSandboxedcan auto-approve commands that run inside the sandbox.- Permissions and deny rules remain the authoritative enforcement layer.
Scope Note
Community reusable policy skill—not an official Anthropic product. Applies documented sandbox setup and review steps; implementation guides cover first-time enablement separately.
Core Workflow
- Run
/sandboxand record dependency status. - Inventory bash commands agents need (build, test, lint, deploy).
- Map required filesystem read/write paths and network destinations.
- Draft sandbox settings with minimal allowlists.
- Review
autoAllowBashIfSandboxedagainst deny rules for destructive patterns. - Enable fail-closed settings for CI and managed environments.
- Test representative commands in a staging repository.
- Publish privacy-safe policy summary for the team.
Capability Scope
- Sandbox dependency verification.
- Filesystem and network boundary design.
- autoAllowBashIfSandboxed risk review.
- Fail-closed and rollback planning.
- Stakeholder policy summaries.
Compatibility
Native
- Claude Code: use as an Agent Skill when rolling out sandbox policy to teams.
Manual Adaptation
- Generic AGENTS: apply checklist when evaluating Claude Code sandbox configs.
Required Inputs
- Target repository layout and build/test commands.
- Current settings.json sandbox and permissions blocks.
- Network egress requirements (registries, APIs, proxies).
- Managed policy constraints for enterprise deployments.
Production Rules
- Verify
/sandboxafter every Claude Code upgrade. - Deny destructive patterns even when sandboxed.
- Document allowed domains; avoid wildcard egress in production.
- Never store secrets in sandbox-writable paths by convention.
- Require human approval before widening write or network scope.
- Roll back policy changes that block legitimate CI commands.
Review Matrix
| Command class | Sandbox stance | Notes |
|---|---|---|
| Read-only lint | Allow in sandbox | Low risk with read scope |
| Package install | Network allowlist | Pin registries |
| rm -rf patterns | Deny | Even if sandboxed |
| curl unknown hosts | Deny or allowlist | Prevents exfiltration |
| Deploy scripts | Foreground approval | No silent auto-allow |
Output Contract
- /sandbox status checklist.
- Filesystem and network recommendations.
- autoAllowBashIfSandboxed findings.
- Fail-closed and rollback plan.
- Privacy-safe policy summary.
Troubleshooting
Issue: Sandbox silently disabled
Fix: Enable fail-closed; install documented dependencies; re-run /sandbox.
Issue: CI blocked after policy tighten Fix: Diff deny rules; add minimal network allowlist for registry hosts.
Duplicate Check
sandboxed-bash-setup-for-autonomous-coding-agents is a setup guide. No skills
entry provides this sandbox policy capability pack with review matrix.
Editorial Disclosure
Independent entry by kiannidev based on public Claude Code documentation. No
paid placement or affiliate links.
Source citations
Add this badge to your README
Show that Claude Code Sandboxed Bash Policy Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/claude-code-sandboxed-bash-policy-capability-pack)How it compares
Claude Code Sandboxed Bash Policy Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Claude Code Sandboxed Bash Policy Capability Pack Skill Expert Claude Code sandboxed bash policy capability pack applying documented /sandbox enablement, filesystem and network boundaries, autoAllowBashIfSandboxed review, and fail-closed settings for autonomous shell workflows. Open dossier | Claude Code Deep Links Runbook Capability Pack Skill Expert Claude Code deep links runbook capability pack for building safe claude-cli:// URLs, embedding them in incident runbooks, and validating cwd, repo, and prompt parameters before users press Enter. Open dossier | Claude Code Troubleshooting Triage Capability Pack Skill Expert Claude Code troubleshooting triage capability pack for diagnosing install failures, auth errors, MCP issues, sandbox blocks, and update regressions with source-backed triage matrices and privacy-safe support output. Open dossier | Claude Code Enterprise Network Config Capability Pack Skill Expert Claude Code enterprise network configuration capability pack for auditing proxy settings, custom CA trust, mTLS client certificates, URL allowlists, and provider-specific routing in restricted corporate networks. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | kiannidev | kiannidev | kiannidev | kiannidev |
| Added | 2026-06-16 | 2026-06-13 | 2026-06-15 | 2026-06-13 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓Sandboxing reduces blast radius but does not replace human review of diffs. autoAllowBashIfSandboxed auto-approves some sandboxed commands—pair with deny rules. Missing dependencies can disable sandbox silently unless fail-closed settings apply. Network allowlists still permit egress to listed domains—document allowed hosts. | ✓Deep links pre-fill prompts but never auto-send; users must press Enter after reviewing the external-link warning. Untrusted pages can craft malicious prompts; treat every deep link like untrusted input until a human reviews it. Prompts over 1,000 characters show an extended warning; require scroll review before sending long links. Network and UNC paths are rejected for cwd; use absolute local paths or repo slugs instead. If both cwd and repo are passed, cwd wins even when the path does not exist; validate parameters deliberately. Organizations can disable handler registration with disableDeepLinkRegistration in settings or managed policy. | ✓This skill triages failures; it must not disable sandbox, security, or managed policy without explicit admin approval. Do not paste secrets, OAuth tokens, or session cookies into public troubleshooting threads. Avoid running destructive fix steps (global uninstall, credential deletion) without user confirmation. MCP and plugin removals can break team workflows; document rollback before changes. | ✓This skill recommends network configuration changes; it must not edit proxy credentials, certificate files, or settings without showing proposed diffs first. Avoid hardcoding proxy passwords in scripts or committed settings; use secure credential storage or managed env injection. Claude Code does not support SOCKS proxies; do not recommend SOCKS-only egress paths. Changing CLAUDE_CODE_CERT_STORE from the default can break trust for TLS-inspection proxies if the OS store is removed unintentionally. mTLS client keys and passphrases are sensitive; store them outside repositories and restrict filesystem permissions. Disabling telemetry requires explicit env configuration before finalizing allowlists; do not assume zero outbound telemetry by default. |
| Privacy notes | ✓Sandbox logs and permission prompts may capture command text and paths. Allowed write paths may include files with secrets—keep credentials out of sandbox scope. Policy summaries for external auditors should omit internal hostnames when possible. | ✓Deep link URLs embed prompt text in query parameters, which may expose incident details, customer names, or internal service names in browser history, chat logs, or ticketing systems. repo resolution uses the most recently used local clone path, which can reveal directory layout on shared screens via the welcome header. Runbooks pasted into GitHub-rendered Markdown lose clickable claude-cli:// links; code-block copies still expose full URLs to readers. Public runbooks should use redacted example prompts and generic repo slugs unless the audience is internal-only. | ✓Troubleshooting logs can expose repo paths, auth emails, internal URLs, and MCP tool arguments. Support handoffs may include session transcripts; redact customer or employee identifiers first. Network proxy and ZDR settings can reveal enterprise security posture; keep details in private channels. Diagnostic exports may contain API usage metadata governed by org retention policies. | ✓Proxy URLs, client certificate paths, NO_PROXY lists, and settings.json env blocks can expose internal hostnames, service names, and network topology. Enterprise TLS inspection means traffic content may be visible to the proxy operator even when Anthropic ZDR or retention policies apply upstream. Troubleshooting logs, `/doctor` output, and install traces may include usernames, internal domains, and certificate issuer details. Public rollout docs should summarize required domains and config categories, not paste complete proxy credentials or private CA bundles. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.