I recommend running the agent harness outside of the computer. The mental model I like to use is the computer is a tool the agent is using, and anything in the computer is untrusted.

▲

jeremyjh 3 hours ago | parent | next [-]

I would recommend not giving an agent the full run of any computing environment. Do handle fine grained internet access controls and credential injection like OpenShell does?

	▲	benswerd 3 hours ago \| parent [-]
		I used to believe this, but I think the next generation of agents is much more autonomous and just needs a computer. The work of a developer is open ended, so we use a computer for it. We don't try to box developers into small granular screwdrivers for each small thing. Thats whats coming to all agents, they might want to run some analysis with python, want to generate a website/document in typescript, and might want to store data in markdown files or in MongoDB. I expect them to get much more autonomous and with that to end up just needing computers like us.

▲

croes 3 hours ago | parent | prev [-]

The problem is the agent, which should be treated untrusted. The computer isn’t the problem

	▲	benswerd 3 hours ago \| parent [-]
		Kind of. The chat logs of the agent are trustworthly, as should any telemetry you have on it or coming out of the VM. Its behavior should be treated as probabilistic and therefore untrustworthly.