Why run agent-generated code inside an isolated sandbox?
A sandbox is an isolated runtime (container, gVisor, or Firecracker MicroVM) that runs agent-generated code with no host filesystem or network access, used because the LLM can produce buggy or attacker-steered code.
Imagine an apprentice cook who is allowed to invent new recipes on the fly. Most of the time the recipes are fine. Once in a while the apprentice writes a recipe that says 'pour gasoline into the broth'. You would not let the apprentice cook in your main kitchen with access to every shelf, the gas line, and the customer's fridge. You give them a small isolated kitchen with only the ingredients for one dish, sealed off from the rest of the building, and you throw the kitchen away after the dish is done. A code sandbox is that small isolated kitchen for an agent. The code runs, but inside walls so thick that a bad recipe cannot reach anything real.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open by saying agent-generated code is untrusted by construction, because of bugs and prompt injection. Rank container vs gVisor vs MicroVM isolation. Name the four controls: no host filesystem, default-deny network, resource caps, ephemerality. Close on blast-radius reduction under least privilege, not on trusting the code.
Real products, models, and research that use this idea.
- e2b Cloud Sandbox runs agent-generated Python in Firecracker MicroVMs, with a per-session ephemeral filesystem and configurable egress allowlists.
- Modal executes untrusted agent code in serverless gVisor-backed containers with per-run resource caps and default-deny network egress.
- Daytona offers dev-environment sandboxes that agents can use as isolated workspaces for code generation and test runs.
- OpenAI's Code Interpreter and Advanced Data Analysis tools run Python in a network-disabled sandbox so generated code cannot reach the internet or host services.
- Pyodide runs Python entirely inside a browser WASM sandbox for client-side agent code without ever sending the code to a backend.
What an interviewer would ask next. Try answering before peeking at the approach.
QA container and a Firecracker MicroVM both isolate processes. Why prefer the MicroVM for arbitrary agent code?
QThe agent's task genuinely needs to fetch a Python package from PyPI. How do you allow that without opening the internet?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking a plain Docker container is a sandbox. A container shares the host kernel, so a kernel exploit escapes. Real agent sandboxes use gVisor or microVMs, default-deny networking, and ephemeral teardown.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.