AI Code Sandbox

An increasingly important part of the AI stack is running untrusted code in a sandbox.

List of code sandbox for AI offerings:

• CloudFlare Sandbox SDK
• Vercel Sandbox
• Daytona
• Anthropic sandbox-runtime
• Deno Sandbox
• Fly.io Sprites (containers)
• Modal Sandbox (containers)
• e2b (containers, open-source ish?)

Open source:

• Coder (open source, containers)
• Concave (open source, firecracker)
• CodeRunner (apple containers)
• container-use (dagger, containers)
• Nono (open source, macOS: seatbelt, Linux: landlock)
• Litebox (microsoft, linux OS sandbox)
• Microsandbox (libkrun)
• agent-safehouse (macOS: seatbelt)

WebAssembly alternatives:

• amla-sandbox (QuickJS) Unfortunately: “The WASM binary is currently proprietary—you can use it freely with this package, but you can’t extract or redistribute it separately. We’re working on open sourcing the WASM runtime.”
• eryx (componentize-py)
• localsandbox (pyodide + deno)
• wassette (multiple languages wrapped in an MCP server)

Rolling your own:

• sandbox-exec (macOS)
• NsJail (Linux)
• firejail (Linux)
• firecracker (Linux)
• RestrictedPython (python)
• componentize-py (cpython in wasm)

See also:

• The lethal trifecta of AI agents isn’t solved by a sandbox alone, but is certainly part of it

Links to this note

• Rustpython With Wasm

  RustPython is a python interpreter written in rust. What makes it interesting is that it does no use cpython which makes it much more straightforward to target WebAssembly and do things like execute untrusted code on a host machine.

• AI Agent Security

  AI agent security is application security, network security PLUS controls for prompt injection (the lethal trifecta) and LLM fallibility (trusted/untrusted input).

• Trusted Input

  AI agents are able to do good things and bad things. Preventing bad things is difficult. The universe of bad things grows in proportion to the access and capabilities LLMs have.