Sandbox Execution: Isolated Agent Environments
Run agents or their tools in isolated sandboxes — preventing unauthorized file access, network calls, and credential theft. Providers: Modal, Daytona, Deno, and LangSmith sandboxes.
Quick Reference
- →Two patterns: 'Agent in sandbox' (full agent runs isolated) vs. 'Tool in sandbox' (individual operations isolated)
- →Sandbox providers: Modal (serverless GPU), Daytona (dev environments), Deno (V8 isolates), LangSmith (managed)
- →Agents get filesystem tools + execute shell command inside the sandbox
- →Sandbox scoping: thread-scoped (recommended), agent-scoped, user-scoped, or session-scoped
- →Deep Agents integrates sandboxes as pluggable filesystem backends
- →Critical for code execution agents — never run untrusted code on your host
Why Sandboxes Matter
Prompt injection can cause agents to execute arbitrary shell commands, read sensitive files, exfiltrate credentials, or modify system configurations. Without a sandbox, a compromised agent has the same access as the process running it — which is often far more than it needs.
Sandboxes provide defense-in-depth: even if the agent is tricked, the damage is contained. The sandbox limits what files, network endpoints, and system resources the agent can access. It's the difference between a bug that reads /etc/passwd and a bug that reads an empty virtual filesystem.