If your agent can reach the host, the host is part of the blast radius

An agent without a sandbox is an agent with your shell. The two production wipes of 2025 both happened on the host, not in a box.

B

Balagei G Nagarajan

3 MIN READ


An agent running inside a sealed disposable container versus one running directly on the host machine
Direct host access means no plumbing, no copy-in copy-out, no permission mapping.
— from “If your agent can reach the host, the host is part of the blast radius”

Key facts.

  • Antigravity's agent ran terminal commands on the host without isolation; a path-parsing error wiped an entire drive (OECD.AI incident).
  • The Amazon Q extension compromise targeted AWS CLI commands in the developer's own environment (AWS bulletin AWS-2025-019).
  • A disposable sandbox bounds the blast radius: the agent operates on a copy it cannot use to harm the host or production.

Why is "we'll sandbox it later" so common?

Because the unsandboxed agent is easier to build and demos beautifully. Direct host access means no plumbing, no copy-in copy-out, no permission mapping. The cost is invisible until the day a path bug or an injection turns a routine command into a destructive one with nothing to stop it. Sandboxing is the control that makes that day survivable. Built in from the start it is cheap; retrofitted after an incident it is expensive and late.

Concentric blast-radius diagram contrasting a contained sandbox with an unbounded host-access radius

Host access vs. isolated execution

Host accessIsolated execution
A bug reaches the real filesystemA bug reaches a disposable copy
Injection runs on the hostInjection runs in a throwaway box
Damage is permanentDamage is discarded with the sandbox

VibeModel's Pattern Intelligence Layer recognizes when an agent is about to take an action whose pattern matches host-level risk, a destructive shell command, an escape from its expected working directory, and flags it. Isolation bounds the blast radius; we watch for the moment an agent tries to act beyond the box. Together they keep a bad command from becoming a bad day.

Frequently asked questions

If we run a more capable model, do we still need to sandbox it?
Antigravity ran host commands with no isolation, so a cache-clear wiped a drive, and a better model obeys the same; EchoLeak shows one email reaching a real filesystem. (OECD.AI incident)

Is a Docker container enough?
It is a strong start. Pair it with least-privilege mounts and no direct production credentials, so even inside the box the agent cannot reach what it should not.

Doesn't isolation slow the agent down?
Marginally. The Antigravity and Amazon Q incidents show what the alternative costs. Isolation is cheap insurance.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.