First, do everything in a virtual machine, and only put on that machine the specific data you're using. Give the agent another user account and put both you and it in a common group. Chgrp g+rX your origin data directory, chgrp g+rwX a working directory.

If you're cautious you might also want to just block all network traffic for that user and allow it in a whitelist basis. It is fairly quick to converge on a set of sites you are happy for it to access. I would still be forcing it through a logging mitm proxy if it is accessing untrusted internet data. For intranet destinations a non-mitm proxy avoids collecting authentication creds.

To blacklist all traffic start with sudo iptables -A OUTPUT -m owner --gid-owner NONET -j REJECT

I would stop it opening ports too. Might also cut off it's access to suid binaries by `setfacl -m u:agent:x /path/to/suid'.

These are not about security so much as awareness and explicit authorisation.

You can do similar things with containers.