Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix sandbox.excludedCommands does not actually exempt listed commands from sandbox network enforcement [3 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#53012Fetched 2026-04-25 06:14:45
View on GitHub
Comments
3
Participants
3
Timeline
7
Reactions
0
Author
cyoungbergcyoungberg
Participants
0xbrainkid0xbrainkidcyoungbergcyoungberggithub-actions[bot]github-actions[bot]
Timeline (top)
labeled ×4commented ×3

Per the Claude Code sandboxing docs, commands listed in sandbox.excludedCommands should run entirely outside the sandbox with full host access (no proxy, no filesystem restrictions). In practice on macOS, listed commands still have sandbox network enforcement applied — direct (non-proxied) socket connections are blocked, preventing any tool that doesn't honor HTTP(S)_PROXY env vars from working.

Error Message

Error: unable to open database "md:": Invalid Input Error: Initialization function "motherduck_duckdb_cpp_init" ... threw an exception: "Failed to download http://api.motherduck.com/extension_version (attempt 5): Could not establish connection"

Root Cause

Per the Claude Code sandboxing docs, commands listed in sandbox.excludedCommands should run entirely outside the sandbox with full host access (no proxy, no filesystem restrictions). In practice on macOS, listed commands still have sandbox network enforcement applied — direct (non-proxied) socket connections are blocked, preventing any tool that doesn't honor HTTP(S)_PROXY env vars from working.

Code Example

{
  "sandbox": {
    "excludedCommands": ["bin/duckdb_query", "./bin/duckdb_query", "duckdb"],
    "network": {
      "allowedDomains": [
        "extensions.duckdb.org", "*.duckdb.org",
        "*.motherduck.com", "motherduck.com", "api.motherduck.com"
      ]
    }
  }
}

---

Error: unable to open database "md:": Invalid Input Error: Initialization
function "motherduck_duckdb_cpp_init" ... threw an exception:
"Failed to download http://api.motherduck.com/extension_version
(attempt 5): Could not establish connection"
RAW_BUFFERClick to expand / collapse

Summary

Per the Claude Code sandboxing docs, commands listed in sandbox.excludedCommands should run entirely outside the sandbox with full host access (no proxy, no filesystem restrictions). In practice on macOS, listed commands still have sandbox network enforcement applied — direct (non-proxied) socket connections are blocked, preventing any tool that doesn't honor HTTP(S)_PROXY env vars from working.

Environment

  • Claude Code: 2.1.119
  • OS: macOS (Darwin 25.3.0, arm64)
  • Sandbox backend: Seatbelt

Configuration

.claude/settings.local.json:

{
  "sandbox": {
    "excludedCommands": ["bin/duckdb_query", "./bin/duckdb_query", "duckdb"],
    "network": {
      "allowedDomains": [
        "extensions.duckdb.org", "*.duckdb.org",
        "*.motherduck.com", "motherduck.com", "api.motherduck.com"
      ]
    }
  }
}

~/.claude/settings.json has a sandbox block with enabled: true and filesystem rules but no excludedCommands. Per docs, array settings merge across scopes.

Expected

When running bin/duckdb_query queries/foo.sql (listed in excludedCommands), the command runs fully outside the sandbox. The DuckDB motherduck extension's init call to api.motherduck.com succeeds via a direct connection.

Actual

The command runs without a permission prompt (allow rule matches), but the motherduck extension fails:

Error: unable to open database "md:": Invalid Input Error: Initialization
function "motherduck_duckdb_cpp_init" ... threw an exception:
"Failed to download http://api.motherduck.com/extension_version
(attempt 5): Could not establish connection"

The motherduck extension does not honor HTTP(S)_PROXY env vars, so it attempts a direct socket connection. That fails even though:

  1. bin/duckdb_query and duckdb are both in excludedCommands
  2. api.motherduck.com is in sandbox.network.allowedDomains
  3. curl https://api.motherduck.com/ from the same shell succeeds (via the sandbox's localhost:60263 HTTPS proxy)
  4. Unsetting all *_proxy env vars before running still produces the same failure — confirming the sandbox, not env-var confusion, is blocking the connection

Impact

Every sandbox-blocked call forces a fallback to dangerouslyDisableSandbox: true, which by design always prompts the user and cannot be allowlisted. Result: the user approves a sandbox-disable prompt for every invocation of a tool that was explicitly placed in excludedCommands to avoid exactly this.

Reproduction

  1. Install DuckDB with the motherduck extension and authenticate.
  2. Add "duckdb" to sandbox.excludedCommands in .claude/settings.local.json.
  3. From Claude Code, have the assistant run duckdb md: < some_query.sql.
  4. Observe the "Could not establish connection" failure.

extent analysis

TL;DR

The issue can be mitigated by configuring the sandbox to allow direct connections for excluded commands or by modifying the motherduck extension to honor HTTP(S)_PROXY environment variables.

Guidance

  • Verify that the excludedCommands configuration is correctly merged across scopes and that the commands are indeed excluded from the sandbox.
  • Check the sandbox's network enforcement settings to ensure that direct connections are allowed for the excluded commands.
  • Consider modifying the motherduck extension to honor HTTP(S)_PROXY environment variables to enable proxied connections.
  • Test the curl command with the --noproxy option to confirm that the issue is indeed related to the sandbox's network enforcement.

Example

No code snippet is provided as the issue is related to configuration and network enforcement rather than code.

Notes

The issue is specific to macOS and the Seatbelt sandbox backend, and the solution may vary depending on the specific environment and configuration.

Recommendation

Apply a workaround by configuring the sandbox to allow direct connections for excluded commands, as modifying the motherduck extension to honor HTTP(S)_PROXY environment variables may not be feasible. This will allow the excluded commands to run outside the sandbox with full host access.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#index setup#retrieval issue#search optimization#API routing

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix sandbox.excludedCommands does not actually exempt listed commands from sandbox network enforcement [3 comments, 3 participants]