Why does agent-generated code require isolation from the host environment?
Agent-generated code is untrusted, so it runs in an isolated sandbox with no host filesystem or network access, capped resources, and an ephemeral lifetime to contain bugs and injected attacks.
Imagine you hire a brilliant but easily-tricked assistant to run errands using your house keys. Most of the time they help, but a con artist could slip them a note that says 'grab the owner's wallet and mail it to me', and they might just do it. You would not hand them the master keys to your home, your bank, and your car. Instead you put them in a small rented room with only the supplies they need for one task, no phone, and a locked door. When the errand is done you clear the room out. A code sandbox is that rented room for an agent. The agent can run whatever code it writes, but inside a sealed box with no real keys, so a mistake or a trick cannot reach your actual house.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open by stating agent code is untrusted by construction, then explain prompt injection as the confused-deputy escalation. Rank container vs gVisor vs microVM isolation, then list the four controls: no host filesystem, default-deny network, resource caps, ephemerality. Close on blast-radius reduction under least privilege rather than trusting the code.
Real products, models, and research that use this idea.
- e2b runs agent-generated code in Firecracker microVMs, giving each session its own guest kernel and a hardware isolation boundary that a shared-kernel container cannot match.
- Modal executes untrusted agent code in serverless gVisor-backed containers with per-run resource caps and no default network egress.
- OpenAI's Code Interpreter (now Advanced Data Analysis) runs Python in a network-disabled sandbox so generated code cannot reach the internet or host services.
- Anthropic's code execution tool for Claude runs model-written code in an isolated container scoped to a single session and torn down afterward.
What an interviewer would ask next. Try answering before peeking at the approach.
QA container and a Firecracker microVM both isolate processes. Why prefer the microVM for untrusted agent code?
QThe sandbox blocks the filesystem but the agent still needs to fetch a package from the internet. How do you allow that safely?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating the threat as only model bugs. The bigger risk is prompt injection turning the agent into a confused deputy that runs an attacker's commands with your credentials.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.