I do similar but it's incredible how our threat model has changed so much to allow this. I have to trust this one node package (and all its dependencies) and Anthropic more than I trust my email provider, my ISP or my browser.
Who'd have imagined remote code execution as a service would have caught on as much as it has!
This is why I don't use Claude Code on my personal machine. My work machine, sure, my work encourages that. My personal machine, I use Claude through Zed with an API key, and manually approve every command.
I don't run Claude Code in YOLO mode, I just approve commands the first time I'm asked about them.
Using them since July I haven't found any problem with data loss and the clanker have not tried to delete my $HOME.