Run Claude Code with --dangerously-skip-permissions inside an isolated VM - built by Claude itself.
I wanted Claude to have full autonomy but didn't want it nuking my system. So I asked Claude to solve the problem by building its own cage.
Claude researched Apple's new Containerization framework (WWDC 2025), checked my system specs, installed the tooling, built a container image, wrote a wrapper script, and tested everything. I just approved a few sudo commands.
Total time: ~15 minutes of conversation.
claude # normal Claude (unchanged)
cldyo # Claude in isolated VM with --dangerously-skip-permissions
cldyo -n 4 # 4 parallel Claude instances in separate VMsEach instance runs in its own lightweight VM. Your project directory is mounted at /workspace. Claude can do whatever it wants inside - when it exits, the VM is destroyed.
- macOS 26+ (Tahoe)
- Apple Silicon (M1/M2/M3/M4)
- Apple container CLI
# Download the latest .pkg from:
# https://github.com/apple/container/releases
sudo installer -pkg container-installer-signed.pkg -target /
container system start
container system kernel set --recommendedcd macSandbox
container build -t cldyo-claude:latest .cp cldyo ~/.local/bin/
chmod +x ~/.local/bin/cldyo# Start Claude with dangerous permissions in isolated VM
cldyo
# Continue last conversation
cldyo -c
# Start with a prompt
cldyo "refactor this entire codebase"
# Spawn 4 parallel instances (opens Terminal windows)
cldyo -n 4| Variable | Default | Description |
|---|---|---|
ANTHROPIC_API_KEY |
(required) | Passed through to container |
CLDYO_MEMORY |
4G |
Memory limit per instance |
CLDYO_CPUS |
2 |
CPU cores per instance |
┌─────────────────────────────────────────────────────────┐
│ Host macOS │
│ │
│ ┌─────────────┐ │
│ │ claude │ ← Normal, your existing setup │
│ └─────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────┐│
│ │ cldyo → Apple Container (Lightweight VM) ││
│ │ ┌─────────────────────────────────────────────────┐││
│ │ │ Linux VM (dedicated kernel) │││
│ │ │ • claude --dangerously-skip-permissions │││
│ │ │ • /workspace ← your project (mounted) │││
│ │ │ • Isolated network, filesystem, processes │││
│ │ └─────────────────────────────────────────────────┘││
│ └─────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────┘
| Feature | Docker | Apple Containers |
|---|---|---|
| Isolation | Shared kernel (namespaces) | Dedicated VM per container |
| Startup | Fast | Sub-second |
| License | Commercial use requires license | Free |
| Native | Requires Docker Desktop | Built into macOS 26 |
Apple's approach gives each container its own lightweight VM with a dedicated kernel. Even if Claude escapes the container, it's still trapped in a VM.
With 64GB RAM, you can run 8+ parallel Claude instances:
- Parallel development - Multiple features simultaneously
- A/B testing - Compare different approaches
- Agent swarm - Multiple agents on different tasks
- Code review - One instance writes, another reviews
Claude built this entire solution:
- Researched Apple's Virtualization documentation
- Discovered the new Containerization framework
- Assessed system requirements
- Installed dependencies
- Wrote all the code
- Tested the setup
It essentially built its own sandbox for running with elevated permissions.
Containerfile- Container image definitioncldyo- Wrapper script for transparent VM execution
MIT
Built by Claude, for Claude, with human supervision.