惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cisco Talos Blog
Cisco Talos Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Jina AI
Jina AI
雷峰网
雷峰网
The Register - Security
The Register - Security
The Cloudflare Blog
博客园 - 【当耐特】
M
MIT News - Artificial intelligence
I
InfoQ
博客园 - 三生石上(FineUI控件)
H
Help Net Security
博客园 - 司徒正美
Vercel News
Vercel News
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
B
Blog
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
L
LangChain Blog
人人都是产品经理
人人都是产品经理
GbyAI
GbyAI
T
The Blog of Author Tim Ferriss
T
Tailwind CSS Blog
aimingoo的专栏
aimingoo的专栏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Recorded Future
Recorded Future
小众软件
小众软件
Martin Fowler
Martin Fowler
罗磊的独立博客
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Apple Machine Learning Research
Apple Machine Learning Research
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
Y
Y Combinator Blog
V
Visual Studio Blog
F
Fortinet All Blogs
Microsoft Azure Blog
Microsoft Azure Blog
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
N
Netflix TechBlog - Medium
V
V2EX
Blog — PlanetScale
Blog — PlanetScale

Sophie Alpert

There are no lossless transformations of natural-language text Deconstructing “services” Materialized views are obviously useful TODOs aren’t for doing Everyone is wrong about that Slack flowchart Hire me to empower and upskill your eng team How React Changed the Web Forever: A Documentary Fast and maintainable patterns for fetching from a database React Conf: “Building a Custom React Renderer” Why review code? Metrics by proxy Yak shaving and fixing Voice React Conf: “React Today and Tomorrow” Why we host conference talk dry runs React Podcast: Inside React Type errors with inference need stacks Observable programming React 16: an API-compatible rewrite Hi, I’m trans. Initializing on the main thread using dispatch_once A near-perfect oninput shim for IE 8 and 9 Using React to speed up the Khan Academy question editor What I did at Khan Academy, 2012 edition Preventing XSS attacks when embedding JSON in HTML Rolling back to an old revision in Mercurial (like git reset)
I don’t want AI agents controlling my laptop
Sophie Alpert · 2025-09-09 · via Sophie Alpert

Part of me is always unnerved when I see people running claude --dangerously-skip-permissions or codex --yolo to give them unfettered ability to run commands on their machine. Admittedly, I do usually hit approve when I’m asked about a specific command, so I certainly understand the temptation to just avoid all that fuss and do a blanket approval. With the next generation of apps that people are building to control everything on your computer via some AI chat interface, it feels perhaps even scarier.

The problem is, modern desktop operating systems are not really designed for strong security boundaries between different things running on your machine. Sure, there are some protections like “you can’t record the screen without the user granting explicit permission”, but if you want AI to be able to take actions on your computer then you need to turn most of this stuff on. Different user accounts act as a security boundary but in practice everyone does all their work under a single user account.

There’s no good way to say “allow access to everything on my computer, except for my password manager, my bank, my ~/.aws/credentials file, and the API keys I left in my environment variables”. Especially with Simon Willison’s lethal trifecta, you don’t really want to be giving access to these things, even if most of the time, nothing bad happens.

Barring a major rearchitecture (which maybe Apple and Microsoft are working on), it’s too hard in practice to grant access to your whole laptop and know exactly what things the AI has access to and feel confident that there’s nothing too sensitive. (I do appreciate Codex’s clever default of running commands in sandboxes that can’t communicate over the network or write files outside the repo directory.)

There are two promising solutions here.

Cloud environments (and VMs in general) are one. A bit more annoying to set up but you also get the bonus of reproducibility across a team, being able to run multiple sessions in parallel, and easier collaboration. I expect most coding agents to move in this direction (Codex already offers this; Claude Code is working on it). In corporate environments, it will make more sense to give AI agents their own credentials that don’t necessarily have all the permissions that are available to the user who spawned them.

The other piece of software on my machine designed to handle isolated environments that don’t leak between each other is the browser. Each site has its own cookies that are protected from other sites, and entire applications are designed to run successfully within this framework. Giving full access is scary — Perplexity has screwed it up, Anthropic knows it doesn’t have a workable solution yet. But if integrated properly into the browser, you actually could plausibly pick and choose which sites to give access to (or not give access to) and have the browser enforce those boundaries. Looking forward to this existing. It’s not really possible to build this properly unless you have control over the browser itself. Atlassian’s bet on using The Browser Company to build (presumably) the new “home” for all business SaaS interaction is persuasive to me in this light. This approach seems more likely to succeed than building a browser that didn’t have a clear value proposition for the consumer space where distribution is king.