Tool Design and Contracts

Tool Sandboxing

Tool sandboxing runs agent tool calls inside isolated environments, such as Docker containers, virtual machines, or Firecracker microVMs, so that a hallucinated command or prompt injection cannot modify production data, execute destructive system calls, or access resources outside the agent's intended scope. The scenario where this matters most is an agent with file system access executing user-supplied code: without isolation, a malicious or malformed input can read credentials, overwrite arbitrary files, or exfiltrate data before any human review occurs. The real tradeoff is calibration, not just presence: over-sandboxing adds cold-start latency and can prevent the agent from reaching the resources it legitimately needs, so the practical goal is the minimum isolation that contains the worst-case blast radius.

subtopics

Sandbox Environments

Resource Limits

connected to

Permission Models Ephemeral Execution Environments Blast Radius Containment

resources

E2B Sandboxese2b.devCloud-based sandboxed environments purpose-built for running AI-generated code safely (e2b.dev)Docker Securitydocs.docker.comDocker's security model for containerized execution relevant to agent sandboxing (docs.docker.com)Firecrackerfirecracker-microvm.github.ioAWS's microVM technology for lightweight, secure sandboxed execution (firecracker-microvm.github.io)Claude Code: Permissionsdocs.anthropic.comHow Claude Code implements permission-based sandboxing for agentic actions (docs.anthropic.com)

view in track