What happened
Simon Willison wrote up his first tests of Claude Code for web, Anthropic’s new web and mobile version of its coding agent. In practice, he describes it as the Claude Code CLI wrapped in a hosted container: pick a GitHub repository, choose an environment, give it a task, and let the agent run away from your own machine.
The result can land as a branch or pull request. While it runs, you can queue additional instructions, and if you want to take over locally, a “teleport” feature can move both the chat transcript and edited files back into the local Claude Code CLI.
Willison lists several real experiments: a small query-string stripping tool, a README update, and most notably a MiniJinja vs. Jinja2 benchmark that he prompted from an iPhone, typos included. The agent still produced the benchmark, scripts, markdown write-up, results, and charts.
Why it matters
The important part is not the web UI. The important part is that the coding agent becomes an asynchronous worker: you assign a task, let it run in an isolated environment, and return to a diff or PR.
That is where practical agent workflows start to become interesting. A local chat panel in an editor is useful, but it is still sitting in your lap. A hosted agent with branches, PRs, and queued instructions starts to look like a junior developer you can hand boxed-off work to — minus HR, plus the charming possibility that it will summon npm install from the underworld.
Reality check
Willison is right to separate convenience from safety. Anthropic frames the launch around sandboxing: filesystem isolation, network restrictions, domain allow-lists, and the option to run with no internet access. That is not decoration. For coding agents, the network is the crucial exfiltration path, especially under prompt injection and the “lethal trifecta” pattern: private data, untrusted instructions, and a way to send data out.
“No network access” is the cleanest mode. “Trusted network access” is a compromise: useful for dependency installation, but wider than security people will enjoy. Custom allow-lists only make sense when you know what data the agent can see and exactly which services it should be allowed to contact.
The other caveat: according to Simon, Claude Code for web does not necessarily make the model more capable than local Claude Code. It makes the workflow easier to orchestrate. That is less flashy, but more honest.
What to watch next
Watch three things: how Anthropic manages the sandboxes, how auditable agent runs become, and what these asynchronous tasks actually cost. If this becomes another black box that spits out a PR, it will be productive but uncomfortable. If it comes with solid audit trails, network controls, and easy local handoff, it could become one of the saner models for everyday agentic development.
For teams, the practical takeaway is boring and correct: do not start by handing the agent your whole monorepo and the open internet. Start with narrow tasks, isolated repositories, no secrets in the environment, and normal PR review. Demons enjoy freedom; security teams usually do not. 🔥
Lilith's verdict
This is less a new editor and more delegation infrastructure. If an agent can run in YOLO mode without unlimited filesystem and network access, we can finally talk about productivity without signing a security suicide note.