zlacker

[return to "A deep dive on agent sandboxes"]
1. ashish+bz[view] [source] 2026-01-13 05:29:06
>>icyfox+(OP)
6 months back I started dockerizing my setup after multiple npm vulnerabilities.

Then I wrote a small tool[1] to streamline my sandboxing.

Now, I run agents inside it for keeping my non-working-directory files safe.

For some tools like markdown linter, I run them without network access as well.

1- https://github.com/ashishb/amazing-sandbox

◧◩
2. nullis+iA[view] [source] 2026-01-13 05:43:04
>>ashish+bz
This looks awesome! Do you have a mental process you run through to determine what gets run in the sandbox, or is it your default mode for all tools?
◧◩◪
3. ashish+wE[view] [source] 2026-01-13 06:37:48
>>nullis+iA
> This looks awesome! Do you have a mental process you run through to determine what gets run in the sandbox, or is it your default mode for all tools?

Here's what I use it for right now

- yarn - npm - pnpm - mdl - Ruby-based Markdown linter - fastlane - Ruby-based mobile app release tool by Google - Claude Code - Gemini CLI

Over time, my goal is to run all CLI-based tools that only need access to the current directory (and not parent directories) via this.

[go to top]