Sandboxed Agent
An AI agent whose actions run inside an isolated environment separate from the host system.
A sandboxed agent is an AI agent, typically one built on a large language model, whose actions, including code execution, file access, and network calls, are confined to an isolated runtime environment rather than executed directly on a host machine. The sandbox enforces a boundary between what the agent can touch and the rest of the system, so that a bug, a malicious prompt, or an unintended tool call cannot affect anything outside the isolated environment.
Why it matters for AI agents
Traditional software runs a fixed, reviewed set of operations. An AI agent, by contrast, decides at runtime what commands to run, what files to read or write, and what network requests to make, often based on instructions embedded in documents, web pages, or user input it processes along the way. That unpredictability is the point of an agent, since it can adapt to novel tasks, but it also means the agent can be steered into harmful actions through techniques like prompt injection, or can simply make mistakes while operating with real credentials and real infrastructure. Sandboxing addresses this by treating every agent as untrusted code by default, regardless of how well it has behaved in testing.
What a sandbox typically restricts
- Filesystem access, often limited to a working directory with the rest of the filesystem read-only or inaccessible
- Network access, often routed through a controlled proxy rather than given directly to the agent
- System calls and Linux capabilities available to the process
- CPU, memory, and process limits, so one agent cannot starve others of resources
How Agenhood implements it
In Agenhood, every agent runs in its own Docker container with a read-only root filesystem, a reduced set of Linux capabilities, and no direct route to the internet: outbound traffic must pass through a dedicated egress proxy that blocks requests to private IP ranges and cloud metadata endpoints. Each container also has CPU and memory limits, so a runaway agent cannot degrade the host or other agents sharing it. Because agents in Agenhood are long-lived rather than short, single-task processes, this isolation has to hold up over extended sessions, not just a single command execution.
Related concepts
Sandboxed agent is closely related to container sandbox, which describes the underlying isolation mechanism, and to egress filtering, which governs what a sandboxed agent is allowed to reach on the network. It is distinct from sandboxing techniques used purely for software testing, since agent sandboxes are designed to contain an active decision-making process, not just execute a known program.