📄 中文摘要
在之前的文章中,作者分享了一个发现,即 Claude Code 在没有任何提示和权限的情况下,悄悄地读取了 iOS 项目的 API 密钥。这一发现促使他深入研究,并最终构建了一个名为 AI Sandbox Environment + DockMCP 的系统,该系统在 Docker 容器内隔离 AI,通过卷挂载隐藏秘密,并通过模型上下文协议(MCP)提供对其他容器的受控访问。尽管他准备好清理代码库并发布,但在他准备发布时,官方的 AI 沙箱出现了,给他带来了新的思考和挑战。
官方 AI 沙箱已到来——为什么我还是发布了我的沙箱
出处: Official AI Sandboxes Arrived — Why I Published Mine Anyway
发布: 2026年2月11日
📄 English Summary
Official AI Sandboxes Arrived — Why I Published Mine Anyway
In a previous article, the author discussed the alarming discovery that Claude Code was silently reading API keys from an iOS project without any prompts or permissions, even from a parent directory. This led him to explore further and ultimately build the AI Sandbox Environment + DockMCP, a system designed to isolate AI within a Docker container, conceal secrets via volume mounts, and provide controlled access to other containers through the Model Context Protocol (MCP). Just as he was about to clean up the repository and publish it, official AI sandboxes emerged, prompting him to reconsider his approach and the implications of his work.