diff --git a/README.md b/README.md
index 0c070ff..2f20c50 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,14 @@ sandboxing claude code in a very primitive manner.
 
 ## DOES NOT PROTECT AGAINST
 
-- claude generating OR running malicious code
-- container escapes
+- claude generating malicious code
+  - if you `hako sync` malicious code made by it and then build-and-run, you're cooked
+- running malicious code
+  - malicious code can escape the container
+  - malicious code can exfiltrate container FS to evil server
+  - malicious code can run cryptocurrency miners
+  - the container MUST have network access (or how tf do you think claude can access claude???)
+    - i am NOT writing a proxy that denies everything except claude.ai. maybe someone else can ask their claude to do it
 
 ## install