Sandbox Your Agents 0 ▲ Philipp Kuhnhardt 50 days ago · 6 min read1145 words · Tech · hide · 0 comments Intro Coding agents in agentic harnesses are a useful tool. They have gained massive traction in the last few months, particularly due to their enhanced capabilities. They can now navigate your system, make API calls and do all kinds of useful work, especially when you enable them further. Unfortunately, this is also incredibly risky. Obviously, you could always just tell them not to do anything bad. But prompting does not help, as AI agents routinely ignore instructions. A good rule to live by is "anything an agent can do, it will do eventually". So we need to restrict what they can do on your system. In this blog post I will explore how to use a sandbox to stop them from reading your secrets, which will heavily reduce the blast radius. Permissions The simplest and fastest way to avoid them reading secrets is by not allowing them to do so in their config. E.g. in OpenCode: // opencode.json { ... "permission": { "read": { ".env": "deny" } } } or in Claude Code: { "permissions": {… No comments yet. Log in to reply on the Fediverse. Comments will appear here.
