Sandbox Hardening
Lock down agent shell and code execution with least-privilege sandboxes before you let generated code touch real machines or customer data.
Overview
sandbox-hardening is an agent skill most often used in Ship (also Build agent-tooling, Operate infra) that configures and validates least-privilege sandboxes for AI code execution.
Install
npx skills add https://github.com/itallstartedwithaidea/agent-skills --skill sandbox-hardeningWhat is this skill?
- Three isolation tiers: process-level (seccomp, AppArmor), container-level (restricted Docker), VM-level (microVMs such a
- Applies least privilege so agents only get permissions required for the task
- Covers resource limits and network segmentation to block unbounded compute and data exfiltration
- Validates sandboxes against prompt-injection and hallucinated destructive commands
- Trust-boundary guidance: internal tools vs multi-tenant vs untrusted code execution
- Three documented isolation levels: process, container, and VM (microVM)
Adoption & trust: 1 installs on skills.sh; 18 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
Your coding agent has shell access without boundaries, so injection or bad commands could touch the host, exfiltrate data, or burn unbounded resources.
Who is it for?
Indie builders running Claude Code, Cursor, or custom agents that execute untrusted or semi-trusted generated code on real infrastructure.
Skip if: Teams that only need static SAST on committed repos with zero runtime agent execution, or beginners who lack Docker or VM ops basics.
When should I use this skill?
Implementing or reviewing sandboxed agent execution, container restrictions, resource limits, or network segmentation for AI-generated code.
What do I get? / Deliverables
You get a validated isolation profile—process, container, or VM—with limits and network rules appropriate to your trust boundary.
- Sandbox configuration profile with capability and mount rules
- Validation checklist for isolation, limits, and egress
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical Ship placement because unrestricted agent execution is a launch-blocker risk; hardening belongs next to security review before production exposure. Security subphase captures container, seccomp, AppArmor, capability drops, network segmentation, and resource limits—not generic perf tuning.
Where it fits
Define a Docker profile with dropped capabilities before wiring your agent to run user-supplied scripts.
Validate seccomp and network egress rules on a staging executor prior to customer beta.
Tighten CPU and memory limits on production agent workers after observing runaway loops.
How it compares
Procedural sandbox design for agents, not a substitute for dependency vulnerability scanning alone.
Common Questions / FAQ
Who is sandbox-hardening for?
Solo builders and small teams operating agent runtimes who need container, process, or VM isolation before granting shell or code execution.
When should I use sandbox-hardening?
In Ship security before go-live, while building agent-tooling integrations, and in Operate infra when tightening production agent workers or multi-tenant executors.
Is sandbox-hardening safe to install?
The skill guides privileged infra changes; review the Security Audits panel on this Prism page and test changes in non-production environments first.
SKILL.md
READMESKILL.md - Sandbox Hardening
# Sandbox Hardening Part of [Agent Skills™](https://github.com/itallstartedwithaidea/agent-skills) by [googleadsagent.ai™](https://googleadsagent.ai) ## Description Sandbox Hardening isolates agent execution environments using container sandboxing, permission boundaries, resource limits, and network segmentation. The agent configures and validates sandboxes that prevent AI-generated code from accessing unauthorized resources, consuming unbounded compute, or affecting the host system. An AI agent with unrestricted shell access is a security liability. Without sandboxing, a prompt injection or hallucinated command could delete files, exfiltrate data, install malware, or consume unbounded resources. Sandbox Hardening applies the principle of least privilege: the agent receives only the permissions it needs, in an isolated environment with strict resource limits and monitored network access. This skill covers three isolation levels: process-level sandboxing (seccomp, AppArmor), container-level isolation (Docker with restricted capabilities), and VM-level isolation (microVMs like Firecracker). The appropriate level depends on the trust boundary: internal development tools use process-level, multi-tenant platforms use container-level, and untrusted code execution requires VM-level isolation. ## Use When - Running AI-generated code in production or shared environments - Configuring agent execution environments with least-privilege access - Deploying multi-tenant AI platforms where users share infrastructure - Executing untrusted code from user inputs or AI outputs - Implementing compliance requirements for isolated execution - Building sandboxed development environments for agents ## How It Works ```mermaid graph TD A[Agent Task] --> B{Trust Level Assessment} B -->|Internal Dev| C[Process Sandbox] B -->|Multi-Tenant| D[Container Sandbox] B -->|Untrusted Code| E[VM Sandbox] C --> F[seccomp + AppArmor Profile] D --> G[Docker: No Root + Read-Only FS] E --> H[Firecracker microVM] F --> I[Resource Limits: CPU, Memory, Disk] G --> I H --> I I --> J[Network Policy: Allowlist Only] J --> K[Filesystem: Scoped Mount] K --> L[Monitoring: Syscall Audit] L --> M[Execution within Sandbox] ``` The sandbox is configured before the agent executes any code. Trust level determines the isolation technology, and all levels apply resource limits, network restrictions, and filesystem scoping. ## Implementation ```dockerfile # Container sandbox: minimal, non-root, read-only FROM node:20-slim AS sandbox RUN groupadd -r agent && useradd -r -g agent -d /workspace agent WORKDIR /workspace COPY --chown=agent:agent . . USER agent ``` ```yaml # docker-compose sandbox configuration services: agent-sandbox: build: . read_only: true tmpfs: - /tmp:size=100M,noexec security_opt: - no-new-privileges:true - seccomp:seccomp-profile.json cap_drop: - ALL cap_add: - NET_BIND_SERVICE deploy: resources: limits: cpus: "2.0" memory: 512M pids: 100 reservations: cpus: "0.5" memory: 128M networks: - sandbox-net dns: - 1.1.1.1 networks: sandbox-net: driver: bridge internal: false ``` ```python import resource import os class ProcessSandbox: """Process-level sandboxing for single-tenant development.""" @staticmethod def apply_limits( max_memory_mb: int = 256, max_cpu_seconds: int = 30, max_file_size_mb: int = 10, max_open_files: int = 64, max_processes: int = 10, ): mb = 1024 * 1024 resource.setrlimit(resource.RLIMIT_AS, (max_memory_mb * mb, max_memory_mb * mb)) resource.setrl