zlacker

[return to "Coding Agent VMs on NixOS with Microvm.nix"]
1. the_ha+k7b[view] [source] 2026-02-04 15:38:41
>>secure+(OP)
The sandbox-or-not debate is important but it's only half the picture. Even a perfectly sandboxed agent can still generate code with vulnerabilities that get deployed to production - SQL injection, path traversal, hardcoded secrets, overly permissive package imports.

The execution sandbox stops the agent from breaking out during development, but the real risk is what gets shipped downstream. Seeing more tools now that scan the generated code itself, not just contain the execution environment.

◧◩
2. mystif+tZb[view] [source] 2026-02-04 19:33:18
>>the_ha+k7b
> not just contain the execution environment.

See, my typical execution environment is a Linux vm or laptop, with a wide variety of SSH and AWS keys configured and ready to be stolen (even if they are temporary, it's enough to infiltrate prod, or do some sneaky lateral movement attack). On the other hand, typical application execution environment is an IAM user/role with strictly scoped permissions.

[go to top]