What are (agent) sandboxes useful for?

Jul 10, 2026

If you use coding agents, a lot of things happen between your prompt and the LLMs your agents use. But given agents work with something on your machine (that's your codebase), agents need to and can execute commands on your machine.

Can you trust the machine overlord?

LLMs can and do make mistakes. So is the code generated by LLM. Implication being sometimes the generated code messes up your system, or exports your data to malicious actors (see prompt injection).

Code has to run somewhere, and if you use a coding agent running on your local machine, that'll be your laptop. Which means, if the stars are not aligned in your favor, an agent might run code that punches a pretty wide hole in your system's security 😱.

(Sand)box them up!

Spin up a sandbox (if you're a user, this should be abstracted away for you by coding agent developers) and execute the code there. If the code does funny stuff, it'll be contained within the sandbox.

Agent sandboxes often run with network isolation - you can talk to sandboxes, but sandboxes can't talk to your system. Sandbox permissions will also be restricted. Because you can still mount volumes to a sandbox, this restricts which paths are mountable (and some paths should be off-limits!).

In production-land, things are different

For agentic apps that don't run locally - as in you need to deploy the app somewhere so other people can use it, you'll run into this issue: code to execute is different for each user/session. For an analytics agent that can crunch the data for you based on your prompt, that'll be a lot of temp files for each run.

To prevent the code from accidentally picking up data via leftover artifacts (which might contain data some users shouldn't see), the code should be executed via an ephemeral runner. This way, each code execution starts from a fresh state, and leftover data is deleted once the associated sandbox expires.

There are many vendors for production agent sandboxes, but check out Agent Sandbox (SIG) if you want an OSS and K8s solution. Currently it supports Go and Python SDKs. You can create a custom sandbox template as well — this can reduce the time needed to bootstrap your sandbox if you require a lengthy initialization.

For better sandbox isolation via Agent Sandbox (SIG), use Kata Containers backend. This means each sandbox uses its own kernel - this prevents kernel hijacking from a compromised sandbox to affect other sandboxes.

https://karnwong.me/posts/rss.xml