Author here. I built this because I run Claude Code with --dangerously-skip-permissions and wanted actual protection from supply chain attacks.
Claude's built-in sandbox allows read-only access everywhere, which means Shai-Hulud-style malware can still read ~/.ssh and ~/.aws or private folders.
sx blocks reads entirely.
It's a thin wrapper around macOS Seatbelt. Zero overhead, deny-by-default.
Claude's built-in sandbox allows read-only access everywhere, which means Shai-Hulud-style malware can still read ~/.ssh and ~/.aws or private folders. sx blocks reads entirely.
It's a thin wrapper around macOS Seatbelt. Zero overhead, deny-by-default.