Why must agent-generated code execute in an isolated sandbox, and what are e2b and Modal's isolation models?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Explain why agent-generated code must run in an isolated sandbox rather than directly on the host. Describe how e2b and Modal achieve isolation differently.
Agent code is untrusted, so it must run in a throwaway sandbox with no host access, no default network, and CPU, memory, and time limits, never a bare subprocess.
Imagine you hire a stranger to test recipes in your house. You would not hand them keys to every room, your wallet, and the front door. You would put them in a rented kitchen with a timer, basic ingredients, and a locked door, then throw the kitchen away when they leave. Agent-generated code is that stranger. The model might write something harmful by accident, or someone might trick it into writing something nasty. So you run the code in a disposable box that has no path to your real files, no money or passwords lying around, and a clock that shuts it off. If the code misbehaves, only the rented box is wrecked, and you delete it anyway. Your real machine never even saw the stranger.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open with why agent code is untrusted (model mistakes plus prompt injection), state that a bare subprocess inherits the host so it is no boundary, lay out the defense in depth defaults (no network plus egress allowlist, ephemeral filesystem, CPU, memory, and time limits, seccomp), then contrast container, gVisor, and microVM isolation and place e2b and Modal on that spectrum with the latency tradeoff.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating a sandbox as a feature for catching bugs rather than a security boundary. The real job is containing untrusted code, including code an attacker injected, not just stopping accidental crashes.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.