Claude Code, Codex CLI etc can effectively do anything that a human could do by typing commands into a computer.
They're incredibly dangerous to use if you don't know how to isolate them in a safe container but wow the stuff you can do with them is fascinating.
After using gpt5-codex inside codex-cli to produce this fork of DOSBox (https://github.com/pmarreck/dosbox-staging-ANSI-server) that adds a little telnet server that allows me to screen-scrape VGA textmode data and issue virtual keystrokes (so, full roundtrip scripting, which I ended up needing for a side project to solve a Y2K+25 bug in a DOS app still in production use... yes, these still exist!) via 4000+ lines of C++ (I took exactly one class in C++), and it passes all tests and is non-blocking, I was able to turn around and (within the very same session!) have it help me price it to the client with full justification as well as a history of previous attempts to solve the problem (all of which took my billable time, of course), and since it had the full work history both in Git as well as in its conversation history, it was able to help me generate a killer invoice.
So (if all goes well) I may be getting $20k out of this one, thanks to its help.
Does the C++ code it made pass the muster of an experienced C++ dev? Probably not (would be happy to accept criticisms, lol, although I think I need to dress up the PR a bit more first), but it does satisfy the conditions of 1) builds, 2) passes all its own tests as well as DOSBox's, 3) is nonblocking (commands to it enter a queue and are processed one set of instructions at a time per tick), 4) works as well as I need it to for the main project. This still leaves it suitable for one-off tasks, of which there is a ton of need for.
This is a superpower in the right hands.
I’ve been using Claude code since launch, must have used it for 1000 hours or more by now, and it’s never done anything I didn’t want it to do.
Why would I run it in a sandbox? It writes code for me and occasionally runs a build and tests.
I’m not sure why you’re so fixated on the “danger”, when you use these things all the time you end up realizing that the safety aspect is really nowhere near as bad as the “AI doomers” seem to make out.
You (and many, many others) likely won't take this threat seriously until adversarial attacks become common. Right now, outside of security researcher proof of concepts, they're still vanishingly rare.
You ask why I'm obsessed with the danger? That's because I've been tracking prompt injection - and our total failure to find a robust solution for it - for three years now. I coined the name for it!
The only robust solution for it that I trust is effective sandboxing.
Just yesterday my cursor agent made some changes to a live kubernetes cluster even over my specific instruction not to. I gave it kubectl to analyze and find the issues with a large Prometheud + AlertManager configuration, then switched windows to work on something else.
When I was back the MF was patching live resources to try and diagnose the issue.
And yes, these are all "skill issues" - as in, if they had known better this wouldn't have happened to them, however I think it's fair to call these possibilities out to counter balance the AI is amazing and everyone should use it for everything type narratives as to instil at least a little caution.
I too use it extensively. But they’re very, very capable models, and the command line contains a bunch of ways to exfiltrate data off your system if it wants to.
i.e. quite dangerous, but people do it anyway
You know what neighbors of serial killers say to the news cameras right?
"He was always so quiet and polite. Never caused any issues"
Also, I think shellagent sounds cooler.
I expect the portion of Claude Code users who have a dedicated user setup like this is pretty tiny!
Instead I run it in bubblewrap sandbox: https://blog.gpkb.org/posts/ai-agent-sandbox/
As long as the supply chain is safe and the data it accesses does not generate some kind of jail break.
It does read instructions from files on the file system, I pretty sure it's not complex to have it poison its prompt and make it suggest to build a program infected with malicious intent. It's just one copy pasta away from a prompt suggestion found on the internet.
[0]: https://ricardoanderegg.com/posts/control-shell-permissions-...
I have no way of really guaranteeing that it will do exactly what it proposed and nothing more, but so far I haven't seen it deviate from a command I approved.
I've used it to troubleshoot some issues on my linux install, but it's also why the folder sandbox gives me zero confidence that it can't still brick my machine. It will happily run system wide commands like package managers, install and uninstall services, it even deleted my whole .config folder for pulseaudio.
Of course I let it do all these things, briefly inspecting each command, but hopefully everyone is aware that there is no real sandbox if you are running claude code in your terminal. It only blocks some of the tool usages it has, but as soon as it's using bash it can do whatever it wants.
I would like a friendlier interface than the terminal, though. It looks like the “Imagine with Claude” experiment they announced today is a step in that direction. I’m sure many other companies are working on similar products.
The gap between coding agents in your terminal and computer agents that work on your entire operating system is just too narrow and will be crossed over quick.
Clearly not. Just put an LLM into some basic scaffolding and you get an agent. And as capabilities of those AI agents grow, so would the degree of autonomy people tend to give them.
That is still very much the case; the danger comes from what you do from the text that is generated.
Put a developer in a meeting room and no computer access, no internet etc; and let him scream instructions through the window. If he screams "delete prod DB", what do you do ? If you end up having to restore a backup that's on you, but the dude inherently didn't do anything remotely dangerous.
The problem is that the scaffolding people put around LLM is very weak, the equivalent of saying "just do to everything the dude is telling, no question asked, no double check in between, no logging, no backups". There's a reason our industry has development policies, 4 eyes principles, ISO/SOC standards. There already are ways to massively improve the safety of code agents; just put Claude code in a BSD jail and you already have a much safer environment than what 99% of people are doing, this is not that tedious to make. Other safer execution environments (command whitelisting, arguments judging, ...) will be developed soon enough.
Excellent article in this vein: https://jxnl.co/writing/2025/09/04/context-engineering-rapid...
One criticism on current generation of AI is that they have no real world experience. Well, they have enormous amount of digital world experience. That, actually, has more economical value.
I suppose they’re dangerous in the same way any terminal shell is dangerous, but it seems a bit of a moral panic. All tools can be dangerous if misused.
Even with approvals humans will fall victim to dialog fatigue, where they'll click approve on everything without reading it too closely.
Maybe something like bubblewrap could help
They still don't have good integration with the web browser, if you are debugging frontend you need to carry screenshots manually, it cannot inspect the DOM, run snippets of code in the console, etc.
I've seen Codex CLI install Playwright Python when I asked it to do this and it found it wasn't yet available in the environment.
It's pretty new, but so far it's been a lifesaver.
True but all it will take is one report of something bad/dangerous actually happening and everyone will suddenly get extremely paranoid and start using correct security practices. Most of the "evidence" of AI misalignment seems more like bad prompt design or misunderstanding of how to use tools correctly.
You can use it for writing, data processing, admin work, file management, etc.
I compiled a list of non-coding use cases for Claude Code here:
Specifically, Input Method Editors needed for CJK inputs(esp. for C and J), to convert ambiguous semi-readable forms into proper readable text, use enter to finalize after candidates were iterated with spacebar. While IME engines don't interchange between different languages, I believe basically all of them roughly follow this pattern.
Unless you specifically wants to exclude CJK users, you have to either detect presence of IME and work with it so that enter do nothing to the app unless conditions are met. Switching to shift+enter works too.
1: https://github.com/anthropics/claude-code/issues/8405
2: https://www.youtube.com/watch?v=mY6cg7w2eQU
1: https://github.com/anthropics/claude-code/issues/8405#issuec...
https://www.anthropic.com/news/context-management
Anyone know if these are used in Claude-Code?
[1] https://github.com/marckrenn/cc-mvp-prompts/compare/v1.0.128...
[2] https://x.com/CCpromptChanges/status/1972709093874757976
Interesting. This was in the old 1.x prompt, removed for 2.0. But CC would pretty much always add comments in 1.x, something I would never request, and would often have to tell it to stop doing (and it would still do it sometimes even after being told to stop).
I should probably include that in my Claude.md instead I guess?
what in the world?
Here's how it works in detail: https://mariozechner.at/posts/2025-08-03-cchistory/
Here's how it works: https://mariozechner.at/posts/2025-08-03-cchistory/
The bot is based on Mario Zechner's excellent work[1] - so all credit goes to him!
I wrote about one tool for doing that here: https://simonwillison.net/2025/Jun/2/claude-trace/
Why do you think these aren't legit?
* New native VS Code extension
* Fresh coat of paint throughout the whole app
* /rewind a conversation to undo code changes
* /usage command to see plan limits
* Tab to toggle thinking (sticky across sessions)
* Ctrl-R to search history
* Unshipped claude config command
* Hooks: Reduced PostToolUse 'tool_use' ids were found without 'tool_result' blocks errors
* SDK: The Claude Code SDK is now the Claude Agent SDK Add subagents dynamically with --agents flag
[1] https://github.com/anthropics/claude-code/blob/main/CHANGELO...
I told it to crop the video to just her and remove the obscured portion and that I had ffmpeg and imagemagick installed and it looked at the video, found the crop dimensions, then ran ffmpeg and I had a video of her all cleaned up! Marvelous experience.
My only complaint is that sometimes I want high speed. Unfortunately Cerebras and Groq don't seem to have APIs that are compatible enough for someone to have put them into Charm Crush or anything. But I can't wait for that.
https://github.com/grafbase/nexus/
If croq talks openai API, you enable the anthropic protocol, and openai provider with a base url to croq. Set ANTHROPIC_BASE_URL to the open endpoint and start claude.
I haven't tested croq yet, but this could be an interesting use case...
Auth conflict: Both a token (ANTHROPIC_AUTH_TOKEN) and an API key (/login managed key) are set. This may lead to unexpected behavior.
• Trying to use ANTHROPIC_AUTH_TOKEN? claude /logout
• Trying to use /login managed key? Unset the ANTHROPIC_AUTH_TOKEN environment variable.
EDIT: For anyone coming here from elsewhere, Crush from Charm supports Cerebras/Groq natively!
But you're right, they have an OpenAI compatible API https://inference-docs.cerebras.ai/resources/openai so perhaps I can actually use this in the CLI! Thanks for making me take another look.
EDIT: Woah, Charm supports this natively. This is great. I am going to try this now.
This is pretty funny while Cursor shipped their own CLI.
I think I lack the social skills to community drive a fix, probably through some undiagnosed disorder or something so I've been trying to soldier alone on some issues I've had for years.
The issues are things like focus jacking in some window manager I'm using on xorg where the keyboard and the mouse get separate focuses
Goose has been somewhat promising, but still not great.
I mean overall, I don't think any of these coding agents have given me useful insight into my long vexing problems
I think there has to be some type of perception gap or knowledge asymmetry to be really useful - for instance, with foreign languages.
I've studied a few but just in the "taking classes at the local JC" way. These LLMs are absolutely fantastic aids there because I know enough to frame the question but not enough to get the answer.
There's some model for dealing with this I don't have yet.
Essentially I can ask the right question about a variety of things but arguably I'm not doing it right with the software.
I've been writing software for decades, is it really that I'm not competent enough to ask the right question? That's certainly the simplest model but it doesn't check out.
Maybe in some fields I've surpassed a point where llms are useful?
It all circles back to an existential fear of delusional competency.
[0] https://cognition.ai/blog/devin-sonnet-4-5-lessons-and-chall...
Sonnet 4.5 is beating Opus 4.1 on many benchmarks. Feels like it's a change they made not to 'remove options', but because it's currently universally better to just let Sonnet rip.
[ { "key": "shift+enter", "command": "workbench.action.terminal.sendSequence", "args": { "text": "\u001b\n" }, "when": "terminalFocus" }, ]
It will allow you to get new lines without any strange output.
So I've been able to shift enter. I'm using iTerm2 and zsh with CC (if that's relevant)
others say here that option/alt-enter may work? not sure why shift-enter couldn't though.
So I can opt out of training, but they still save the conversation? Why can't they just not use my data when I pay for things. I am tired of paying, and then them stealing my information. Tell you what, create a free tier that harvests data as the cost of the service. If you pay, no data harvesting.
Even that is debatable. There are a lot of weasel words in their text. At most they're saying "we're not training foundation models on your data", which is not to say "we're not training reward models" or "we're not testing our other-data models on your data" and so on.
I guess the safest way to view this is to consider anything you send them as potentially in the next LLMs, for better or worse.
When they ask "How is Claude doing this session?", that appears to be a sneaky way for them to harvest the current conversation based on the terms-of-service clause you pointed out.
Storing the data is not the same as stealing. It's helpful for many use cases.
I suppose they should have a way to delete conversations though.
I've always been curious. Are tags like that one: "<system-reminder>" useful at all? Is the LLM training altered to give a special meaning to specific tags when they are found?
Can a user just write those magic tags (if they knew what they are) and alter the behavior of the LLM in a similar manner?
You can just make them up, and ask it to respond with specific tags, too.
Like “Please respond with the name in <name>…</name> tags and the <surname>.”
It’s one of the approaches to forcing structured responses, or making it role-play multiple actors in one response (having each role in its tags), or asking it to do a round of self-critique in <critique> tags before the final response, etc.
- Circuit breakers when it seem like it's stuck in a loop
- Warnings about running low on context
- Reminders about task lists (or anything)
- All sorts of warnings about whateverOkay, I know I shouldn't anthropomorphize, but I couldn't prevent myself from thinking that this was a bit of a harsh way of saying things :(
I spend most of my time making version files with the prompt, but pretty impressed by how far I've gotten on an idea that would have never seen the light of day....
The thoughts of having to write input validation, database persistence, and all the other boring things I've had to write a dozen times in the past....
Looks great, but it's kind of buggy:
- I can't figure out how to toggle thinking
- Have to click in the text box to write, not just anywhere in the Claude panel
- Have to click to reject edits
If Claude Code was a car it'd be the ideal practical vehicle for all kinds of uses.
If OpenAI Codex was a car, it'd be a cauldron with wheels.
The reason I say this is CC offers so many features: plan mode, hooks, escape OR ctrl-c to interrupt it, and today added quick rewind. Meanwhile Codex can't even wrap text to the width of the terminal; you can't type to it while it's working to queue up messages to steer it (you have to interrupt with Ctrl-C then type), and it doesn't show you clearly when it's editing files or what edits it's making. It's the ultimate expression of OpenAI's "the agent knows what to do, silly human" plan for the future - and I'm not here for that. I want to steer my agent, and be able to have it show me its plan before it edits anything.
I really wish the developers of Codex spent more time using Claude Code.
I feel like there's so many bugs. The / commands for add-dir and others I used often are gone.
I logged in, it still says "Login"
https://www.reddit.com/r/ClaudeAI/comments/1mlhx2j/comment/n...
Is this going to be the way forward? Switching to whichever is better at a task, code base or context?
cl --version 1.0.44 (Claude Code)
as expected … liar! ;)
cl update
Wasn't that hard sorry for bothering
The UX is definitely better because it uses the bubble tea library which is probably the best TUI framework ever
And you can use a ton of different providers and models
Why would they?
I also use jj to checkpoint. When working on a change, each time I get to a stable point I squash and start fresh with an empty change.
You can absolutely continue doing that.
I wish it was maintained by a larger team though. It has a single maintainer and they seem to be backlogged or working on other stuff. If there was an aider fork that ran forward with capabilities I'd happily switch.
That said, I haven't tried Claude Code firsthand, only saw friends using it. I'm not comfortable letting agents loose on my production codebase.
Though I will see how this pans out.
I use Opus to write the planning docs for 30 min, then use Sonnet to execute them for another 30 min.
This isn't true, you just need to use the usual shortcut twice: shift+tab
If I hit shift-Tab twice I can still get to plan mode
that's generally my workflow and I have the results saved into a CLAUDE-X-plan.md. then review the plan and incrementally change it if the initial plan isn't right.
WTF. Terrible decision if true. I don't see that in the changelog though
- Need better memory management and controls (especially across multi-repos) - /upgrade needs better management
I hope this is the case.
Pardon my ignorance, but what does this mean? It's a terminal app that has always expanded to the full terminal, no? I've not noticed any difference in how it renders in the terminal.
What am i misunderstanding in your comment?