(2025-10-21) Willison Claude Code For Web A New Asynchronous Coding Agent From Anthropic
Simon Willison: Claude Code for web - a new asynchronous coding agent from Anthropic.
In this newsletter:
- Claude Code for web - a new asynchronous coding agent from Anthropic
- Getting DeepSeek-OCR working on an NVIDIA Spark via brute force using Claude Code
- OpenAI’s new Atlas browser
Anthropic launched Claude Code for web this morning. It’s an asynchronous coding agent - their answer to OpenAI’s Codex Cloud and Google’s Jules, and has a very similar shape. I had preview access over the weekend and I’ve already seen some very promising results from it.
It’s available online at claude.ai/code
As far as I can tell it’s their latest Claude Code CLI app wrapped in a container (Anthropic are getting really good at containers these days) and configured to --dangerously-skip-permissions. It appears to behave exactly the same as the CLI tool, and includes a neat “teleport” feature which can copy both the chat transcript and the edited files down to your local Claude Code CLI tool if you want to take over locally.
You point Claude Code for web at a GitHub repository, select an environment (fully locked down, restricted to an allow-list of domains or configured to access domains of your choosing, including “” for everything) and kick it off with a prompt.
While it’s running you can send it additional prompts which are queued up and executed after it completes its current step.*
Once it’s done it opens a branch on your repo with its work and can optionally open a pull request.
Putting Claude Code for web to work
Claude Code for web’s PRs are indistinguishable from Claude Code CLI’s,
Note that I would likely have got the exact same result running this prompt against Claude CLI on my laptop. The benefit of Claude Code for web is entirely in its convenience as a way of running these tasks in a hosted container managed by Anthropic, with a pleasant web and mobile UI layered over the top.
Anthropic are framing this as part of their sandboxing strategy
Claude Code’s new sandboxing features, a bash tool and Claude Code on the web, reduce permission prompts and increase user safety by enabling two boundaries: filesystem and network isolation.
I’m very excited to hear that Claude Code CLI is taking sandboxing more seriously. I’ve not yet dug into the details of that - it looks like it’s using seatbelt on macOS and Bubblewrap on Linux.
If you run Claude Code for web in “No network access” mode you have nothing to worry about.
I’m a little bit nervous about their “Trusted network access” environment. It’s intended to only allow access to domains relating to dependency installation, but the default domain list has dozens of entries which makes me nervous about unintended exfiltration vectors sneaking through.
You can also configure a custom environment with your own allow-list
I see Anthropic’s focus on sandboxes as an acknowledgment that coding agents run in YOLO mode (--dangerously-skip-permissions and the like) are enormously more valuable and productive than agents where you have to approve their every step.
The challenge is making it convenient and easy to run them safely. This kind of sandboxing kind is the only approach to safety that feels credible to me.
DeepSeek
DeepSeek released a new model yesterday: DeepSeek-OCR, a 6.6GB model fine-tuned specifically for OCR.
Bonus: Using VS Code to monitor the container
*Link 2025-10-18 Andrej Karpathy — AGI is still a decade away:
Extremely high signal 2 hour 25 minute (!) conversation between Andrej Karpathy and Dwarkesh Patel.*
It starts with Andrej’s claim that “the year of agents” is actually more likely to take a decade
It turns out Andrej is using a different definition of agents to the one that I prefer - emphasis mine:
- When you’re talking about an agent, or what the labs have in mind and maybe what I have in mind as well, you should think of it almost like an employee or an intern that you would hire to work with you. For example, you work with some employees here.
- They don’t have enough intelligence, they’re not multimodal enough, they can’t do computer use and all this stuff.
- They don’t do a lot of the things you’ve alluded to earlier. They don’t have continual learning
Yeah, continual learning human-replacement agents definitely isn’t happening in 2025! Coding agents that are really good at running tools in the loop on the other hand are here already.
I loved this bit introducing an analogy of LLMs as ghosts or spirits, as opposed to having brains like animals or humans:
- Brains just came from a very different process, and I’m very hesitant to take inspiration from it because we’re not actually running that process. In my post, I said we’re not building animals. We’re building ghosts or spirits or whatever people want to call it, because we’re not doing training by evolution. We’re doing training by imitation of humans and the data that they’ve put on the Internet.
- You end up with these ethereal spirit entities because they’re fully digital and they’re mimicking humans
The post Andrej mentions is Animals vs Ghosts on his blog.
Update: Here’s an essay length tweet from Andrej clarifying a whole bunch of the things he talked about on the podcast.
Link 2025-10-18 The AI water issue is fake: Andy Masley
All U.S. data centers (which mostly support the internet, not AI) used 200--250 million gallons of freshwater daily in 2023. The U.S. consumes approximately 132 billion gallons of freshwater daily.
See also this TikTok by MyLifeIsAnRPG, who points out that the beef industry and fashion and textiles industries use an order of magnitude more water (~90x upwards) than data centers used for AI.
ChatGPT Atlas
*Link 2025-10-21 Introducing ChatGPT Atlas:
Last year OpenAI hired Chrome engineer Darin Fisher, which sparked speculation they might have their own web browser in the pipeline. Today it arrived.*
ChatGPT Atlas is a Mac-only web browser with a variety of ChatGPT-enabled features. You can bring up a chat panel next to a web page, which will automatically be populated with the context of that page.
If you turn on browser memories, ChatGPT will remember key details from your web browsing to improve chat responses and offer smarter suggestions—like retrieving a webpage you read a while ago. Browser memories are private to your account and under your control
Atlas also has an experimental “agent mode” where ChatGPT can take over navigating and interacting with the page for you, accompanied by a weird sparkle overlay effect:
In agent mode, ChatGPT can complete end to end tasks for you like researching a meal plan, making a list of ingredients, and adding the groceries to a shopping cart ready for delivery. You’re always in control: ChatGPT is trained to ask before taking many important actions, and you can pause, interrupt, or take over the browser at any time.
I continue to find this entire category of browser agents deeply confusing.
The security and privacy risks involved here still feel insurmountably high to me - I certainly won’t be trusting any of these products until a bunch of security researchers have given them a very thorough beating.
I’d like to see a deep explanation of the steps Atlas takes to avoid prompt injection attacks. Right now it looks like the main defense is expecting the user to carefully watch what agent mode is doing at all times!*
The Atlas user-agent is Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 - identical to the user-agent I get for the latest Google Chrome on macOS.
The Brave security team wrote about prompt injection against browser agents a few months ago (here are my notes on that). Here’s their follow-up:
What we’ve found confirms our initial concerns: indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers. [...]
As we’ve written before, AI-powered browsers that can take actions on your behalf are powerful yet extremely risky.
Edited: | Tweet this! | Search Twitter for discussion
Made with flux.garden