Sandbox Isolation
Run agent-emitted code or actions in a contained environment with restricted filesystem, network, and process privileges.
Problem
An agent with full host access can damage the host either deliberately (a prompt-injection payload tells it to delete a directory or exfiltrate a secret) or accidentally (the model emits a destructive command targeting the wrong path). Once a wrong rm -rf, curl-piped-to-shell, or rogue tool call has run on the host, no amount of in-loop reasoning can undo it; the blast radius is whatever the host process can reach.
Solution
Run code in a container, microVM, WASM runtime, or restricted subprocess with minimal privileges. Filesystem is read-only or scoped to a working directory. Network is allowlisted or blocked. Resource limits cap CPU/memory/time. Persistent state is ephemeral by default.
When to use
- The agent executes generated code or operates the filesystem.
- Host damage (deletion, exfiltration, malware) is a credible risk.
- A container, microVM, or WASM runtime can be deployed for execution.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.
Related
- Code-as-Action Agent
- Code Execution
- Dual LLM Pattern
- Input/Output Guardrails
- Lethal Trifecta Threat Model
- Sandbox Escape Monitoring
- Subagent Isolation
- Todo-List-Driven Autonomous Agent
- WebAssembly Skill Runtime
- MCP-as-Code-API
- JSON-Only Action Schema
- Agent-Generated Code RCE
- Self-Exfiltration
- Authorized Tool Misuse
- Agent Privilege Escalation
- Simulate Before Actuate
- Code-Then-Execute with Dataflow Analysis
- Progressive Tool Access