RSS

Show HN: Agent Sandbox Options

rjzzleep1 pts0 comments

GitHub - fishman/awesome-agent-sandbox: Portable, self-contained sandboxes for AI coding agents - microVMs, containers, isolation harnesses. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

fishman

awesome-agent-sandbox

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

master

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>5 Commits<br>5 Commits

README.md

README.md

View all files

Repository files navigation

Awesome Agent Sandbox

Portable, lightweight, self-contained sandboxes for AI coding agents - microVMs, containers, and isolation harnesses.

MicroVMs

smolvm - Hardware-isolated VMs. Boots .smolmachine file. Elastic memory, opt-in networking, SSH agent forwarding (keys never touch guest), GPU acceleration, declarative Smolfile (TOML). 4 vCPUs / 8 GiB RAM default, idle vCPUs sleep at near-zero cost.

microsandbox - Embeddable libkrun microVM SDK with Rust, Python, TypeScript, Go bindings.<br>CelestoAI/SmolVM - Disposable VMs for AI agents via Firecracker, QEMU, or libkrun. ~500ms boot. Mounts host folders read-only by default (--writable-mounts to allow writes). Browser sandbox with CDP/VNC. Pre-installed Claude Code, Codex, Pi with forwarded git credentials. Snapshots, network egress controls, Windows guest support.

agent-vm - Per-project libkrun microVMs. ~2s boot. Bind-mounts project at host path. OAuth tokens never enter the VM - a TLS-intercept proxy substitutes real bearer tokens for placeholders on outbound requests. Per-launch GitHub repo allow-listing. Chrome DevTools MCP with CA injection. Linux, requires /dev/kvm.

drydock - Apple container runtime (macOS 26+, Apple Silicon). Per-task throwaway VMs - nothing survives between tasks. Agent never gets your real API key (short-lived, budget-capped token only). Deny-by-default egress with allowlist for package registries. Only a git diff leaves the sandbox; nothing reaches origin without approval. Red-team tests included.

CubeSandbox - Tencent-built KVM microVMs via RustVMM.<br>sand - Apple container CLI (macOS 26+, Apple Silicon). APFS copy-on-write clones of your project. Commands: sand new -a claude, sand shell, sand git status. Native Apple virtualization, no Docker dependency.

HyperAgent - Hyperlight micro-VM runtime (KVM/MSHV/WHP). Model writes JavaScript handlers that run in hardware-isolated sandboxes - no direct filesystem, network, shell, or process access unless explicitly granted via plugins. Path-jailed fs-read/fs-write plugins. Domain-scoped fetch with SSRF checks. GitHub Copilot SDK auth.

strangeClaw - Self-hosted autonomous agent running inside Firecracker microVMs. Host-side request broker checks policy, injects credentials, redacts responses - agent only sees denials, never holds real API keys. Two modes: yolo (direct host) and fire (VM isolation).

Container Sandboxes

agent-sandbox - Rust CLI (ags), rootless Podman containers. Supports Claude, Codex, Gemini, OpenCode, Pi, and interactive shells. Hardened lockdown mode for untrusted repos (no secrets, no SSH agent, no host bridges). Clipboard bridge, OAuth proxy, browser sidecar, host UI via Glimpse. TOML config with per-repo overlays.

yolobox - Docker sandbox. Only the project directory is mounted at its real path; home directory stays on the host. Agent gets full permissions and sudo inside the container. Wraps agent CLIs to skip permission prompts. .yolobox.toml for extra packages. Flags: --no-network, --readonly-project, fork. Protects against accidents, not container-escape exploits.

hort - Rust, daemonless, no Docker. Each box is a disposable git worktree + in-process OCI container (libcontainer). Single static binary. Run multiple agents in parallel against one worktree. Read-only dotfiles mounted so the environment feels familiar but can't be altered. Egress allowlist. Built for Claude Code, Aider, Gemini CLI.

agent-sandbox - Docker + mitmproxy sidecar. Repo directory mounted as workspace, secrets live on host and are injected by the proxy at request time - agent never sees raw API keys. iptables blocks all direct...

agent sandbox host microvms container search

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

The labor share of income in the US is at its lowest post-war level

loughnane15 ptsfinancial labor share york securities central
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.