Running Claude Code in manual approval mode sounds like a reasonable compromise. In practice, it fails at both jobs it's supposed to do.
The security problem: prompt injection. That's when malicious text in a file, webpage, or external data source contains hidden instructions telling the AI to do something other than what you intended - exfiltrate code, delete files, make unauthorized API calls. When Claude Code hits that content and follows those instructions, clicking "allow" on the resulting action doesn't protect you. You approved a step without knowing it was manipulated.
The productivity problem: you become the bottleneck. Autonomous coding agents are most useful when they can chain together dozens of actions without stopping. Every approval prompt breaks that chain.
Hazmat, an open-source project for macOS, takes a different approach: contain the agent at the operating system level so --dangerously-skip-permissions - Claude Code's flag to run without approval prompts - is actually safe to use. The containment layers include a dedicated macOS user account with restricted permissions, Apple's Seatbelt kernel sandbox (which enforces restrictions at the OS kernel level, below any application), a pf firewall, a DNS blocklist for outbound network control, and npm ignore-scripts to block supply chain attacks where malicious packages execute code on install. Automatic filesystem snapshots let you roll back if something goes wrong.
The logic is sound. OS-level containment is fundamentally harder to escape than application-level approval dialogs. An agent that has been manipulated via its own instructions can still be stopped by a kernel sandbox that physically prevents writing outside the project directory, connecting to unexpected hosts, or spawning arbitrary binaries. The application doesn't get a vote.
The project is currently macOS-only, which limits its reach for teams on Linux or Windows. The developer notes this directly addresses the gap between Claude Code's autonomy features and the security guarantees most developers actually need before running agents against production-adjacent code. Available on GitHub.