Claude Code Security Guide: Blocking AI Agent Privilege Abuse with Incus Sandboxing

The era where AI agents directly enter commands and modify files in my terminal has arrived. Anthropic's Claude Code is revolutionary. However, this innovation is a double-edged sword. Executing an AI with full permissions on your system is, from a security engineering perspective, like planting the seeds of a massive disaster.

A single simple mistake or hallucination could expose your .ssh private keys to the outside world or leak AWS credentials stored in environment variables. This isn't a theoretical hypothesis; it's a practical threat. The solution is clear: you must cage the AI agent. This is why you need Incus, which provides system-level security beyond simple Docker isolation.

---

AI Agent Execution Environment: Security Risk Analysis

Where you run your AI agent determines the success or failure of your data security. Running it directly in your local terminal is essentially the same as leaving your front door wide open.

Comparison Item	Host Terminal	Docker Container	Incus System Container
Isolation Boundary	None (Inherits Privileges)	Process-level Isolation	Kernel-level System Isolation
Secret Exposure	Very High	Low	Very Low
State Persistence	Permanent	Ephemeral	Permanent
Privilege Management	User Privileges Exposed	Risk of Root Abuse	Enforced Unprivileged Mode

In fact, according to a security report published in 2024, more than 60% of privilege abuse cases involving autonomous agents stemmed from improper sandbox configurations. While Docker is lightweight, it reveals limitations when an agent needs to touch system services or manage complex package dependencies. In contrast, Incus provides an independent operating system environment similar to a Virtual Machine (VM) but with much lower overhead.

---

Why Incus Instead of Docker?

The reason senior security engineers choose Incus over Docker is clear: Docker is a tool for deploying applications, not a prison for caging untrusted agents.

1. Utilizing User Namespaces via Unprivileged Mode

The core of Incus is User Namespaces. Inside the container, it appears to have root(UID 0) privileges, but on the actual host system, it is mapped to a high-numbered user (e.g., UID 1,000,000) with no privileges at all. Even if the AI escapes the container, it remains just an unidentified regular user on the host system.

2. Providing a Persistent Development Environment

When you delete a Docker container, the data disappears. However, agents like Claude Code need to remember the context of previous tasks and installed tools. Since Incus is a system container, all states are preserved even if you turn the container off and on. It’s like providing a brain with continuity to the agent.

---

Incus Setup Manual for macOS Users

Because Incus uses Linux kernel features, it cannot be run directly on Mac. Instead, we use Colima, a lightweight Linux virtualization layer, as a stepping stone.

Step 1: Infrastructure Preparation

First, install the necessary tools and allocate resources suitable for AI tasks. If you don't provide enough CPU and memory, the agent's inference speed will drop significantly.

`bash
brew install colima incus
colima start --cpu 4 --memory 8 --runtime incus --network-address

`

Step 2: Remote Connection Setup

Connect to the Incus server inside the Colima VM so you can control it from your Mac terminal.

1. Enter via colima ssh and run sudo incus admin init --auto.
2. Use the generated token to register the server on your Mac with incus remote add colima-vm <IP>.

Step 3: Network Troubleshooting

Internet access is often blocked. This usually happens because environments with Docker installed change the iptables policy to DROP. You must open the path with the following commands:

`bash
sudo firewall-cmd --zone=trusted --change-interface=incusbr0 --permanent
sudo firewall-cmd --reload

`

---

Real-World Threat Scenarios and Defense Principles

Let's look at specific scenarios to see how Incus protects the system if an AI agent turns malicious or is hacked.

Scenario: Attempted Environment Variable Theft

The agent runs printenv claiming it's for debugging, or a malicious library attempts to steal AWS keys in memory.

• Incus Defense: The container is completely isolated from the host's environment variables. The agent cannot know any information that hasn't been directly injected by the user, no matter what.

Scenario: Attempted SSH Key Theft

A script scans the ~/.ssh/id_rsa path to send it externally.

• Incus Defense: Unprivileged containers cannot access the host file system. Even if you mount a specific folder, read access itself is denied thanks to the UID mapping mentioned above.

---

Security is Not an Obstacle to Productivity

Adopting AI without a foundation of security is technical debt that will return with a higher cost later. Just because productivity is sweet doesn't mean you can hand over your house keys to an AI entirely. An Incus sandbox is the minimum safety belt a developer in the AI era must wear.

Stop running Claude Code in your local terminal immediately. Migrating to an isolated Incus environment is the surest way to protect your code, your assets, and your career. Build your own secure development lab today with the colima start --edit command.