Remix.run Logo
akazantsev 5 hours ago

That's because sandboxing is quite hard. I use `cco`, but even then, the home folder is exposed. You are one prompt away from the agent sending the browser passwords with curl.

To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.)

There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors.

kstenerud 35 minutes ago | parent | next [-]

Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there:

- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

- Network control

- Secrets control (file mounts or credentials broker)

- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one)

- NO access to your homedir. You have to explicitly mount things you want.

- NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters.

- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

- MCP passthrough

- Layered API (golang) if you want to sandbox other things

- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.

- FOSS

https://github.com/kstenerud/yoloai

magimas 8 minutes ago | parent | next [-]

but this seems quite overkill no?

I currently run pi agent in Lima on a Mac with only the code project folder mounted and an extension that prevents pi agent from reading the contents of .env files directly.

Yeah, there probably are some freak situations where this isn't safe enough, but I don't really see any realistic ways this is going to end up badly. Am I overlooking some obvious security holes?

lukewarm707 18 minutes ago | parent | prev [-]

i have a photon os vmware, agent has root and docker plus a few api keys with minimal credits.

if it messes up: - no sensitive data is there, so it doesn't really work for serious dev but it's secure for play time

- roll back and fix is done in 10s with ram snapshot

- dollar loss is $10 when it leaks the api key

lionkor 4 hours ago | parent | prev | next [-]

I use sandbox-here for this reason, it's a wrapper around bubblewrap, which works quite well.

Copy the code and adjust it to your liking:

https://github.com/lionkor/sbh

I have a shell alias for it, and use it like

    sbh --net pi
for example or

    sbh --net codex
and maybe add --docker if I expect it to do docker things.

This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents.

squidsoup 4 hours ago | parent | prev | next [-]

> That's because sandboxing is quite hard

colima makes it pretty easy, on macOS and linux at any rate.

https://colima.run

torginus 4 hours ago | parent [-]

Still wild to name a sandboxing software after one of the most infamous Soviet Gulags in history.

pfortuny 30 minutes ago | parent | next [-]

Colima is in Mexico.

Kolyma is in Russia.

imtringued 3 hours ago | parent | prev | next [-]

It's wilder to accuse someone of naming the container version of the lima sandboxing software after a gulag.

These type of moral outrage comments take an extreme amount of effort to debunk compared to writing them.

1. There is no gulag called Colima, it doesn't exist.

2. There was a gulag near a river called Kolyma

3. The pronounciation and spelling of Kolyma and Colima are completely different, in fact Colima is an Aztec word

Colima stands for Containers on Lima. Lima stands for Linux Machines (a popular open-source utility used to launch Linux virtual machines on macOS).

Xymist 2 hours ago | parent | prev | next [-]

Others have covered why that isn't what's being done, but also if it was that would be a _fabulous_ joke.

demek2016 3 hours ago | parent | prev [-]

Isn't it named after the Mexican state?

dpacmittal 3 hours ago | parent | prev [-]

Use multipass by canonical. Works on macOS, windows, Linux.

croes 2 hours ago | parent [-]

If you work on Windows you most likely need Windows as VM