Member-only story
Sandboxed code execution #
The eight previous parts gave Eugene careful, narrow capabilities: reading files inside a canonicalised sandbox, calling a handful of well-typed skills, talking to other agents, persisting memory, going through an open protocol. None of those let the agent run arbitrary code on the user’s machine. This post does.
The reason it took eight parts to get here is the reason this post is the longest in the series. Letting a language model produce shell or Python and then run it on your laptop is the single most dangerous thing an agent can do. It is also the most powerful: a data-analyst agent that can write grep
, awk
, or a Python one-liner against your data is qualitatively different from one that has to navigate a fixed menu of tools. The whole craft of code-execution skills is keeping the second property while neutralising the first.
The Claude Code source has the deepest sandboxing surface of any agent in the wild. Their bashSecurity.ts
file is 1,500 lines of pattern detection and tree-sitter AST analysis, scanning every bash command for command-substitution, process-substitution, Zsh expansion tricks, PowerShell comment syntax, and binary-hijack environment variables. Their shouldUseSandbox.ts
decides at runtime whether each command needs OS-level sandboxing on top of the pattern filter…