I use KVM/QEMU on Linux. I have a set of scripts that I use to create a new directory with a VM project and that also installs a debian image for the VM. I have an ./pull_from_vm and ./push_to_vm that I use to pull and push the git code to and from the vm. As well as a ./claude to start claude on the vm and a ./emacs to initialize and start emacs on the vm after syncing my local .spacemacs directory to the vm (I like this because of customized emacs muscle memory and because I worry that emacs can execute arbitrary code if I use it to ssh to the VM client from my host).

I try not to run LLM's directly on my own host. The only exception I have is that I do use https://github.com/karthink/gptel on my own machine, because it is just too damn useful. I hope I don't self own myself with that someday.

You might like this (disclaimer my project):

https://github.com/jgbrwn/vibebin

I'm mainly addressing sandboxing by running stuff in Claude Code for web, at which point it's Anthropic's problem if they have a sandbox leak, not mine.

It helps that most of my projects are open source so I don't need to worry about prompt injection code stealing vulnerabilities. That way the worst that can happen would be an attack adding a vulnerability to my code that I don't spot when I review the PR.

And turning off outbound networking should protect against code stealing too... but I allow access to everything because I don't need to worry about code stealing and that way Claude can install things and run benchmarks and generally do all sorts of other useful bits and pieces.

hey fren, try this: https://github.com/smol-machines/smolvm

I already have a couple folks using it for claude: https://github.com/smol-machines/smolvm/discussions/3

If you could make your tool work with PVM that would be amazing

Tool is already configured with paravirtualization on the linux path

Unfortunately, the ecosystem and tooling is not there for macOS full paravirtualization yet

Oh neat yeah I only care about Linux pvm. Assuming we still have to have already installed the PVM kernel and other pvm-related prereqs or?

Looked into Apples container framework first (for proper isolation) but switched to Docker sandboxes since they switched to mircoVMs too: https://docs.docker.com/ai/sandboxes/#why-use-docker-sandbox...

Quite similar to how Im using docker for a few years

https://github.com/jrz/container-shell

Containers here, though I don't run Claude Code within containers, nor do I pass `--dangerously-skip-permissions`. Instead, I provide a way for agents to run commands within containers.

These containers only have the worker agent's workspace and some caching dirs (e.g. GOMODCACHE) mounted, and by default have `--network none` set. (Some commands, like `go mod download`, can be explicitly exempted to have network access.)

I also use per-skill hooks to enforce more filesystem isolation and check if an agent attempts to run e.g. `go build`, and tell it to run `aww exec go build` instead. (AWW is the name of the agent workflow system I've been developing over the past month—"Agent Workflow Wrangler.")

This feels like a pragmatic setup. I'm sure it's not riskless, but hopefully it does enough to mitigate the worst risks. I may yet go back to running Claude Code in a dedicated VM, along with the containerized commands, to add yet another layer of isolation.

The interesting thing in that thread is how many people have landed on isolation as a workaround while still lacking a real control plane on top of it. Containers reduce blast radius, but they don’t answer approvals, policy, or auditability. That’s the gap I keep seeing in these setups. I've found a software, called Daedalab, that instead of sandboxing AI puts deterministic control on agents actions.

Shell over MCP, with multiple options for sandbox. Includes Docker, Podman, Modal, E2B, and WASM:

https://github.com/Kiln-AI/Kilntainers

Can run anything from a busybox in WASM to a full cloud VM. Agent just sees a shell.

This seems to be billed as a MCP server for making sandbox containers... right? Doesn't this kind of miss the whole point?

"Make me a sandbox for yourself! Make sure its really secure!"

The sandboxing options are set when you connect the MCP to the agent, not by the agent passing params about its own sandbox.

There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.

If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.

My app is a macOS terminal wrapper with nice GUI for sandbox-exec and network sandbox. I just added a vertical tabs option too. https://multitui.com

Sandvault author here: thanks for the shout-out!

I would add that in addition to Unix permissions, sandvault also utilizes macOS sandbox-exec to further limit the blast radius.

Dedicate user account.

That's not to say I don't use bwrap.

But I use that specifically to run 'user-emulation' stories where an agent starts in their own `~/` environment with my tarball at ~/Downloads/app.tar.gz, and has to find its way through the docs / code / cli's and report on the experience.

There's an intermediate step, which is to use a combination of claude code sandboxing (bubblewrap), plus some pre tool hooks to look for sketchy commands, but it's still interactive and probably not the right longterm approach.

I use either QEMU VMs or my own sandbox-run [0] (a bubblewrap wrapper) for isolation, depending on the use case.

[0] https://codeberg.org/Grauwolf/sandbox-run

I've been using nsjail, which i guess employs several of these techniques.