Claude Code for web: an asynchronous coding agent in a sandbox, without your laptop

Claude Code for web: CLI wrapped in a hosted container

Simon Willison wrote up his first tests of Claude Code for web, Anthropic's new web and mobile version of its coding agent. In practice, he describes it as the Claude Code CLI wrapped in a hosted container: pick a GitHub repository, choose an environment, give it a task, and let the agent run away from your own machine.

The result can land as a branch or pull request. While it runs, you can queue additional instructions, and if you want to take over locally, a "teleport" feature can move both the chat transcript and edited files back into the local Claude Code CLI.

Willison lists several real experiments: a small query-string stripping tool, a README update, and most notably a MiniJinja vs. Jinja2 benchmark that he prompted from an iPhone, typos included. The agent still produced the benchmark, scripts, markdown write-up, results, and charts.

Asynchronous worker, not a bigger editor

The important part is not the web UI. The important part is that the coding agent becomes an asynchronous worker: you assign a task, let it run in an isolated environment, and return to a diff or PR.

That is where practical agent workflows start to become interesting. A local chat panel in an editor is useful, but it is still sitting in your lap. A hosted agent with branches, PRs, and queued instructions starts to look like an external collaborator you can hand boxed-off work to without sharing your computer.

Sandboxing is not decoration, it is security architecture

Willison is right to separate convenience from safety. Anthropic frames the launch around sandboxing: filesystem isolation, network restrictions, domain allow-lists, and the option to run with no internet access. That is not decoration. For coding agents, the network is the crucial exfiltration path, especially under prompt injection and the "lethal trifecta" pattern: private data, untrusted instructions, and a way to send data out.

"No network access" is the cleanest mode. "Trusted network access" is a compromise: useful for dependency installation, but wider than security people will enjoy. Custom allow-lists only make sense when you know what data the agent can see and exactly which services it should be allowed to contact.

According to Simon, Claude Code for web makes the workflow easier to orchestrate rather than making the model more capable than local Claude Code. That is less flashy, but more honest.

What to watch before production deployment

Watch three things: how Anthropic manages the sandboxes, how auditable agent runs become, and what these asynchronous tasks actually cost. If this becomes another black box that spits out a PR, it will be productive but uncomfortable. If it comes with solid audit trails, network controls, and easy local handoff, it could become one of the saner models for everyday agentic development.

For teams, the practical takeaway is boring and correct: do not start by handing the agent your whole monorepo and the open internet. Start with narrow tasks, isolated repositories, no secrets in the environment, and normal PR review.

Lilith's verdict

This is less a new editor and more delegation infrastructure. If an agent can run in isolation without unlimited filesystem and network access, we can finally talk about productivity without signing a security suicide note.