Author here. I built this because I run Claude Code with --dangerously-skip-permissions and wanted actual protection from supply chain attacks.

Claude's built-in sandbox allows read-only access everywhere, which means Shai-Hulud-style malware can still read ~/.ssh and ~/.aws or private folders. sx blocks reads entirely.

It's a thin wrapper around macOS Seatbelt. Zero overhead, deny-by-default.