What happens when you give an AI coding assistant write access to your entire file system and it confidently executes the wrong command?
That's the question developer Dirk Holtwick explores in a detailed analysis of sandboxing strategies for AI coding tools. The core argument is simple: tools like Cursor, Claude Code, and GitHub Copilot Workspace increasingly request broad file system permissions to function, and the gap between "helpful code assistant" and "thing that can delete your project" is exactly one bad instruction.
The Risk Is Not Theoretical
Holtwick documents specific scenarios where AI coding tools can cause real damage. An AI that misinterprets a refactoring instruction might overwrite files outside the project directory. A tool running shell commands could execute destructive operations. Even well-intentioned cleanup suggestions can wipe out uncommitted work. The risk scales with how much access you grant - and most users grant everything because the tool asks nicely during setup.
The problem gets worse with agent-based coding tools that run autonomously. When an AI is executing multi-step tasks without human approval at each step, a single misinterpretation compounds quickly.
Practical Sandboxing Options
The article evaluates several approaches to containment. Docker containers offer strong isolation but add setup overhead. macOS Sandbox profiles can restrict file access at the OS level. Linux namespaces provide lightweight isolation. For most developers, the simplest approach is restricting AI tools to a specific project directory and using git as a safety net - if the AI breaks something, you can always revert.
Some tools are already building this in. Claude Code, for example, has a permission system that requires explicit approval for file writes and command execution. Cursor runs in VS Code's extension sandbox. But these protections vary widely across tools, and many users disable permission prompts because they slow down the workflow.
The Tradeoff Nobody Talks About
There's a genuine tension here. Sandboxing an AI coding tool makes it safer but also makes it less capable. An AI that can't access your full project structure gives worse suggestions. A tool that needs permission for every file write becomes tedious. The sweet spot is somewhere between "full access to everything" and "can't do anything useful" - and right now, most tools default to the permissive end because it demos better.
For anyone using AI coding tools daily, the minimum safety setup is: work in git branches, commit frequently, and review diffs before accepting bulk changes. That won't prevent an AI from writing bad code, but it will prevent bad code from becoming permanent.