A deep dive on agent sandboxes(pierce.dev)
20 pointsby icyfox12 hours ago2 comments
  • ashishb6 hours ago
    6 months back I started dockerizing my setup after multiple npm vulnerabilities.

    Then I wrote a small tool[1] to streamline my sandboxing.

    Now, I run agents inside it for keeping my non-working-directory files safe.

    For some tools like markdown linter, I run them without network access as well.

    1- https://github.com/ashishb/amazing-sandbox

    • nullishdomain6 hours ago
      This looks awesome! Do you have a mental process you run through to determine what gets run in the sandbox, or is it your default mode for all tools?
      • ashishb5 hours ago
        > This looks awesome! Do you have a mental process you run through to determine what gets run in the sandbox, or is it your default mode for all tools?

        Here's what I use it for right now

        - yarn - npm - pnpm - mdl - Ruby-based Markdown linter - fastlane - Ruby-based mobile app release tool by Google - Claude Code - Gemini CLI

        Over time, my goal is to run all CLI-based tools that only need access to the current directory (and not parent directories) via this.

  • pama7 hours ago
    I would like to see more articles about agent sandboxes. With agents gaining popularity we need a higher fraction of users to understand containers and sandboxes and their risk profiles, and then to communicate their understandings to friends and family. It is a harder task than explaining ChatGPT, and it often feels like a hindrance.