From f532d5bae40f4f6b5dc4049becedec35aa286be6 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Tue, 10 Jun 2025 22:39:36 -0300
Subject: [PATCH] update readme

---
 README.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 0c070ff..2f20c50 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,14 @@ sandboxing claude code in a very primitive manner.
 
 ## DOES NOT PROTECT AGAINST
 
-- claude generating OR running malicious code
-- container escapes
+- claude generating malicious code
+  - if you `hako sync` malicious code made by it and then build-and-run, you're cooked
+- running malicious code
+  - malicious code can escape the container
+  - malicious code can exfiltrate container FS to evil server
+  - malicious code can run cryptocurrency miners
+  - the container MUST have network access (or how tf do you think claude can access claude???)
+    - i am NOT writing a proxy that denies everything except claude.ai. maybe someone else can ask their claude to do it
 
 ## install