We went down the WASM sandboxing rabbit hole at Gobii when building our agent infra. The pitch is appealing until you realize the tradeoff: you either accept a limited environment with reimplemented tools, or you emulate your way back to a full Linux system (like agentvm does at 173MB) and wonder why you didn't just start with gvisor or Firecracker.

We landed on gvisor in k8s. Our agents run headless Chromium for browser automation, ffmpeg for media processing, yt-dlp, ripgrep, fzf - real tools that would be a nightmare to port or reimplement. Actual Linux with the full ecosystem, solid isolation, no emulation overhead.

Interesting project though - the capability-based tool validation layer seems useful regardless of what's running underneath.