Sandboxing agentic coding tools is complex. It involves managing how these tools interact with untrusted content, communicate externally, and access sensitive data. Anthropic offers several sandboxing tools for Claude Code, and similar features are available in Cursor and OpenAI’s Codex CLI. Developers can also create custom sandboxes using gVisor or Firecracker VMs, focusing on network isolation and proxies. The risks associated with sandboxes include potential data exfiltration. For instance, if Claude Code accesses environment variables or files in the terminal session, it can expose sensitive information, like API keys. Developers should avoid leaving these secrets in accessible locations. The devcontainer template includes a firewall that restricts network connections at the IP level, but it doesn’t guarantee protection at the application layer. Misconfigurations can allow sensitive data to escape through various means, including SSH connections or creating npm packages with secrets. To mitigate these risks, using network proxies can help hide secrets like the Anthropic API key. Claude Code supports HTTP proxies, but developers need to configure them correctly. Tools like mitmproxy can intercept and modify HTTP requests, allowing developers to inject dummy API keys. This technique prevents Claude Code from directly accessing real credentials. Furthermore, organizations can apply least privilege principles to minimize the risk associated with API key exposure, especially since Admin API keys inherit permissions from the user who created them. Implementing these strategies can help secure sensitive data while using agentic coding tools.