sandboxes: clarify security implications for auth methods

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

Author: dvdksn

content/manuals/ai/sandboxes/get-started.md

@@ -46,9 +46,9 @@ Follow these steps to run a sandbox with Claude Code:
    2. Restart Docker Desktop so the daemon picks up the new environment variable.
 
    Alternatively, you can skip this step and authenticate interactively when
-   Claude Code starts. If no credentials are found, you'll be prompted to log
-   in. Note that interactive authentication requires you to authenticate for
-   each workspace separately.
+   Claude Code starts. Interactive authentication is less secure and requires
+   you to re-authenticate for each workspace. See
+   [Credential security](workflows.md#credential-security) for details.
 
 2. Create and run a sandbox for Claude Code for your workspace:
 

content/manuals/ai/sandboxes/workflows.md

@@ -117,6 +117,22 @@ To preserve a configured environment, create a [Custom template](templates.md).
 
 ## Security considerations
 
+### Credential security
+
+Set API keys as environment variables on the host rather than authenticating
+interactively inside a sandbox. When you set credentials on the host, Docker
+Sandboxes proxies API calls from the sandbox through the host daemon, so the
+agent never has direct access to the raw key.
+
+When you authenticate interactively, credentials are stored inside the sandbox
+where the agent can read them directly. This creates a risk of credential
+exfiltration if the agent is compromised or behaves unexpectedly.
+
+Interactive authentication also requires you to re-authenticate for each
+workspace separately.
+
+### Workspace trust
+
 Agents running in sandboxes automatically trust the workspace directory without
 prompting. This enables agents to work freely within the isolated environment.