Introducing Amazing Sandbox - run third-party tools and AI agents securely on your machine

Background

I have written about this before, software engineers and now, AI agent users are running a lot of third-party tools on their machines.

These tools can be helpful, but they do get compromised.

1. Amazon shipped malicious Amazon Q
2. Trivy, a security analyzer, got compromised and served malicious versions which lead to backdooring of LiteLLM and Mercor.
3. A meme NPM package created a denial-of-service attack

Consider your home

When you invite a friend over to your home, they have access to your living room and may be able to use a restroom. They don’t get to visit your bedroom, your home office, or your storage room.

Further, once they leave, they cannot get back in without your permission.

That’s not how we install tools when we do brew install trivy, we are giving permanent root access on our machine to the trivy tool, the tool author, and anyone who ever compromises the tool’s source code on GitHub via a compromised GitHub Action.

That’s not how it should work. And that’s exactly what amazing-sandbox solves for.

I have been using this setup for almost a year now, and I am confident about making it public.

Amazing Sandbox

Rather than running trivy directly on your machine, you should run it inside Docker.

Running it inside Docker, does require figuring out mounting volumes and other similar details. Further, you want to give the illusion of a rich interactive shell, so that the tool produces a rich output, including hyperlinks in the output.

And that’s where Amazing Sandbox comes in.

It can run any tool inside Docker transparently. Further, for AI agents like Gemini CLI and Claude Codex, it automatically mounts the corresponding settings directory from your home directory, so it acts as if it is running on your local machine, without the fear that it can wipe of your disk.

Here is how I use it

1. asb gem exec fastlane - prevents Fastlane, a tool for mobile app development, from accessing anything outside the current directory. while still allowing it to publish my MusicSync app to Google Play Store.
2. asb npx htmlhint - prevents htmlhint, a tool for linting HTML files, from accessing anything outside the current directory. while still allowing it to lint my HTML files.
3. asb -n uvx yamllint - prevents yamllint, a tool for linting YAML files, from accessing anything outside the current directory or even the Internet. while still allowing it to lint my YAML files.

You can see more examples in my dotfiles. Or see the description and source code of the project.