How the Django Co‑founder Used Claude to Reverse‑Engineer Its Own Sandbox

Anthropic announced that Claude Cowork is now available to all Pro users. Shortly after, Django co‑founder and AI blogger Simon Willison conducted a "nest‑doll" experiment by directing Claude Code (the engine behind Cowork) to investigate its own sandbox.

"Nest‑doll" reverse: Claude, tell me who you are

Willison gave Claude the command:

"Dig around in the /Applications/Claude.app directory to figure out how the sandbox works."

He then prompted Claude to "Write a detailed report about the Linux container environment you are running in." Claude complied and produced a comprehensive technical report.

Revealed: Cowork runs inside an Ubuntu virtual machine

The report shows that Claude Cowork does not use a lightweight Docker container; it launches a full Ubuntu 22.04 LTS (Jammy Jellyfish) VM on macOS using Apple’s Virtualization.framework, which runs an ARM64 Linux system.

Kernel: Linux 6.8.0

CPU: 4 ARM64 cores

Memory: ~3.8 GiB

Disk: 10 GB root partition + 10 GB session partition

Dual sandbox protection

To prevent AI misbehavior, Anthropic applies two layers of isolation:

VM isolation: All operations occur inside the Ubuntu VM, separate from the host macOS.

Bubblewrap (bwrap) sandbox: Inside the VM, the Claude process is further confined by Bubblewrap, creating an independent network namespace, PID namespace, and a "die‑with‑parent" mechanism that destroys the container when the parent exits.

Strict permission controls

Running user: a non‑root account named brave-loving-maxwell.

Seccomp filtering: a tight syscall whitelist blocks dangerous operations.

Network proxy: all HTTP/SOCKS traffic is forced through a local proxy at localhost:3128, ensuring every network request is monitored.

This experiment gives a concrete view of the security model behind local AI assistants.

Security first, performance second

Anthropic chose a heavyweight VM approach to guarantee absolute safety: even if prompt‑injection or malicious code occurs, the damage is confined to the temporary VM, leaving the host macOS untouched.

Different sandbox strategies

Anthropic: Bubblewrap + full VM – most robust for a local client.

Vercel: Firecracker microVMs – lightweight, suited for high‑concurrency cloud workloads.

Cloudflare: Durable Objects / Isolates – V8‑based isolation, fastest startup but more limited.

Claude’s choice of a full Linux environment explains its ability to run Python, Node.js, and various CLI tools directly, effectively giving users a complete Linux computer.