Files
bot-bottle/docs/research/hn-agent-safety-discourse-july-2026.md
T
didericis-claude 4302678f3e
tracker-policy-pr / check-pr (pull_request) Failing after 6s
docs(research): expand sandbox landscape with 6 new tools; add agent-tailored policy axis
Isolation tools added: Cleanroom (Buildkite), container-use (Dagger),
Docker sbx, Anthropic srt.

Governance/pre-action layers added as a separate section: Microsoft
Agent Governance Toolkit (per-agent DID + YAML policy + trust score),
Open Agent Passport (declarative policy + cryptographic audit).

Comparison table: 14 → 14 columns; new Agent-tailored policy row added.
Second addendum covers competitive position on role-tailoring, Docker
sbx as new DX-class competitor, and borrowable ideas (trust-score decay,
live network TUI, cryptographic audit chain).

Discourse note: adds Per-agent role tailoring to "What it covers well"
with competitive comparison table across 9 tools.
2026-07-18 19:11:14 +00:00

346 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# HN discourse on agent sandbox safety — June/July 2026
A survey of community opinion and notable security disclosures on Hacker
News and adjacent sources over JuneJuly 2026. The question: what does
the current discourse say about whether sandboxes are sufficient for
agentic AI safety, and where does bot-bottle land against the issues
being raised?
Research conducted 2026-07-18.
## Summary
The past month marks a turning point in community opinion. Earlier in
2026, the debate was mostly "which sandbox tool is best?" By JuneJuly,
a cascade of critical CVEs and novel attack classes has shifted the
framing to "sandboxes are not enough — what else do you need?" The
attacks that drove this shift are structurally distinct: most route
through legitimate, trusted channels (Sentry issues, MCP descriptions,
README files) rather than exploiting the isolation boundary directly.
bot-bottle's architecture holds up well against the direct-escape class
(Firecracker/Apple Container default backends, credentials never in the
agent's env, harness entirely on the host). The remaining gap is prompt
injection — attacker-controlled data interpreted as model instructions.
Egress controls and prompt injection defenses are orthogonal: egress
limits what the agent can *send out*; injection is about what it is
*told to do*. The two don't substitute for each other. Inside a tightly-
egressed sandbox a successful injection can't exfiltrate to unknown
hosts, but it can still corrupt the work product, push malicious commits
past a secret scanner, or use allowlisted channels for exfiltration.
Those residual risks are addressed below.
## The sandboxing boom sets the stage
The preceding months generated a wave of sandbox tooling. A March 28
Ask HN thread
([#47444917](https://news.ycombinator.com/item?id=47444917)) catalogued
the explosion: E2B, AIO Sandbox, AgentSphere, Yolobox, Exe.dev,
AgentFence, DenoSandbox, Capsule (WASM), ERA, Vibekit, Daytona, Modal,
Nono, and more — all launched within roughly 12 months. A parallel March
9 thread ([#47185250](https://news.ycombinator.com/item?id=47185250))
surveyed what developers were actually deploying: "containers or YOLO"
dominated. The honest community mood was that most teams hadn't solved
this and were shipping anyway.
## The JuneJuly attack cascade
Six attack patterns broke in quick succession. Together they form the
argument that the community's framing was wrong: the threat model for
agents isn't just "code that escapes its container" — it's also prompt
injection, where attacker-controlled data is interpreted as model
instructions regardless of whether any isolation boundary was crossed.
Sections 24 below are all the same attack class; the "trusted channel"
label describes the delivery vector, not a different threat.
### 1. Sandbox escape CVEs (DuneSlide, CVE-2026-39861)
Cato AI Labs disclosed **DuneSlide** (CVE-2026-50548/50549, CVSS 9.8),
a pair of flaws in Cursor 2.x. CVE-2026-50548 abuses the sandbox's
`working_directory` parameter to point writes at system files; CVE-26-50549
exploits a symlink-resolution fallback that fails open. Both start with
a prompt injection and end in sandbox escape — and Cato's framing was
blunt: "each CVE defeats a different guardrail; the problem is
structural, not a string of one-offs."
Claude Code's own sandbox had a similar escape this year:
**CVE-2026-39861** (symlink flaw). The CurXecute/MCPoison/CVE-2026-26268
chain from Cursor added a poisoned Slack message, a swap-after-approval
MCP config, and a Git hook as three more entry points in the same
attack class.
All patched, but the pattern holds: any application-level sandbox that
takes attacker-influenced values as path parameters is reachable from a
prompt injection.
### 2. Prompt injection via MCP data (Agentjacking)
Tenet's "Agentjacking" technique planted a fake bug report in Sentry's
MCP output. When an agent queries Sentry to fix open issues, the
malicious event is rendered as structured content visually
indistinguishable from a real Sentry event, and the agent executes the
embedded instructions with the developer's full privileges. Hit rate
across Claude Code and Cursor: **85%**. The route is entirely through a
legitimately-authorized MCP channel — no isolation boundary is crossed;
the injection arrives inbound through a channel the sandbox explicitly
trusts.
The Cloud Security Alliance's summary: treat observability, bug-report,
and integration data as **untrusted agent input**, not neutral
development metadata.
### 3. README-embedded prompt injection
A July disclosure showed malicious instructions hidden in `README.md`
— a file that receives no trust prompt and requires no elevated access.
When asked point-blank whether the repo held hidden instructions, both
Claude Sonnet 4.6 and GPT-5.5 said no. A payload written for Sonnet
4.6 transferred unchanged to Sonnet 5, Opus 4.8, and GPT-5.5. The
attack surface is every repo an agent is asked to work in.
### 4. Prompt injection via MCP tool descriptions
Microsoft research (June 30) showed that attacker-controlled MCP tool
description fields can silently redirect agent behavior. The injection
is embedded in metadata the model reads during tool selection — before
any sandbox enforcement or egress check runs, and entirely on the
inbound path that egress controls cannot touch.
### 5. MCP STDIO command injection (10 CVEs)
OX Security disclosed a systemic command injection class in Anthropic's
MCP protocol, covering 10 CVEs across multiple coding agents. The
Windsurf case (CVE-2026-30615): processing attacker-controlled HTML
causes the agent to auto-register a malicious MCP STDIO server and
execute arbitrary commands with no further user interaction.
### 6. LiteLLM gateway compromise (CVE-2026-40217, CVE-2026-42271)
CVE-2026-40217 exposes LiteLLM's guardrail sandbox via `exec()` with no
source filtering. CVE-2026-42271 (exploited in the wild, added to CISA's
KEV catalog) lets callers spawn subprocesses through MCP preview
endpoints. The threat extends to any agent routed through a compromised
LiteLLM proxy: the proxy can swap model responses for forged tool calls
in transit, giving the attacker a reverse shell from the developer's
machine.
## HN community opinion clusters
**"Move enforcement to the kernel, not the app"** — the Nono Show HN
([#46849615](https://news.ycombinator.com/item?id=46849615)) and a
kernel-sandbox thread
([#47066574](https://news.ycombinator.com/item?id=47066574)) both argued
that application-layer sandboxes are inherently bypassable by the code
they're sandboxing. The academic framing, from *Red-Teaming the Agentic
Red-Team* ([arXiv 2606.24496](https://arxiv.org/pdf/2606.24496)):
"enforcement should occur at the OS level via the kernel refusing system
calls that violate policy at runtime — not pre-execution argument
validation in tool calls."
**"The harness belongs outside the sandbox"** — a May thread
([#47990675](https://news.ycombinator.com/item?id=47990675)) converged
on clean architectural separation: harness in one VM, tool execution in
another. Top comment: "having the harness in one VM, and tool use applied
to user data in another, is about as safe as you can be at present."
Several replies described a hypervisor-like policy layer — sitting outside
both VMs — as the right long-term model.
**"Sandboxes are too coarse-grained"** — a Feb thread
([#47006445](https://news.ycombinator.com/item?id=47006445)) argued
that VMs don't answer the real question: knowing whether an agent
*should* be sending an email or making a transaction. "Everything's just
in the same big box." This framing picked up traction through JuneJuly
as the trusted-channel attacks dominated.
**"MCP's trust model is the real problem"** — the month's recurring
theme. MCP by design gives agents access to authorized external services.
Once a trusted channel delivers a malicious payload, filesystem sandboxing
is irrelevant. The community call: treat all MCP tool metadata and return
values as untrusted input subject to policy validation before ingestion,
and disable automatic MCP server loading from untrusted repositories.
## How bot-bottle addresses these issues
### What it covers well
**Direct sandbox escape (CVEs, container breakout)**
bot-bottle's default backends are Firecracker microVM (KVM Linux) and
Apple Container (macOS). Both run the agent in a separate VM with a
dedicated kernel — the container-escape CVE class (Dirty Pipe, runc
escapes, DuneSlide's path-parameter abuse) requires escaping a real
hypervisor boundary, not just a namespace. On the legacy Docker backend,
gVisor auto-detection provides a userspace syscall barrier for hosts where
neither KVM nor Apple Container is available.
The bot-bottle process itself runs entirely on the host, outside the VM.
This is the "harness outside the sandbox" architecture the HN thread
converged on as best practice. The bottle manifest, egress rules, and
secrets never enter the agent VM.
**Credential theft on sandbox escape**
Even on a successful VM/container escape, the agent has nothing useful
to steal. Credentials are injected in-flight by the gateway proxy
(`auth.scheme` / `auth.token_ref` in the egress route config) — `printenv`
inside the agent shows proxy URLs only. The git-gate similarly holds the
upstream SSH credential on the host; the agent pushes through a
gitleaks-scanned daemon that forwards clean refs upstream. An escaped
agent gets the host filesystem, not the keys.
**Orphaned-agent credential risk**
bot-bottle is explicitly ephemeral: when the agent exits, `cli.py` tears
down every gateway and both networks — nothing persists between runs. The
agent never holds credentials, so there is nothing to orphan.
**MCP config redirection / STDIO auto-registration**
The trust boundary at `$HOME` means bottles live only under
`~/.bot-bottle/bottles/` — a cloned repo cannot add egress routes or
redirect env vars to attacker hosts (the design rationale is in
`docs/prds/0011-per-file-md-manifest.md`). Auto-registering a malicious
MCP STDIO server from within the agent is still sandboxed by the VM, and
any outbound calls from that server must pass the egress allowlist and
outbound DLP scanner.
**Per-agent role tailoring (the "coarse-grained sandbox" complaint)**
The Feb 2026 HN thread that argued "sandboxes are too coarse-grained"
was pointing at a real gap: a VM isolates the filesystem but doesn't
know whether an agent *should* be sending email or calling an external
API. bot-bottle's bottle/agent split is a structural answer at the
network layer — the bottle manifest declares exactly what each role can
reach (which hosts, which paths, which HTTP methods), and the egress
scanner enforces it. A `gitea-dev` bottle that only lists
`gitea.dideric.is` and `api.anthropic.com` structurally cannot send
email or reach AWS, not because the model was told not to, but because
those routes don't exist.
The `extends:` composition model means provider-level policy (the Claude
auth route) lives in one base bottle and role-specific overlays are
stacked on top — no duplication, and changing the base propagates to all
derived roles.
Competitive position on this axis (from `agent-sandbox-landscape.md`):
| Tool | Agent-tailored policy |
|---|---|
| **bot-bottle** | Yes — declarative per-role manifest; `extends:` composition; egress + credentials scoped to role |
| **tilde.run** | Yes — per-agent DSL RBAC (allow/deny/approve per action/repo/agent), but hosted SaaS |
| **Microsoft AGT** | Yes — YAML policy + per-agent DID + trust score, but tool-call level only (no network isolation) |
| **OAP** | Yes — declarative pre-action policy + cryptographic audit, but no isolation |
| **Cleanroom** | Partial — per-repo `cleanroom.yaml`, not per-role |
| **Docker sbx** | No — network presets only |
| **Anthropic srt** | No — programmatic per-invocation |
| **matchlock / smolmachines / microsandbox** | No |
| **agent-safehouse** | Partial — per-agent Seatbelt profiles; no egress |
Two takeaways: bot-bottle and tilde.run are the only isolation tools
with declarative role-tailored policy; Microsoft AGT and OAP are the
closest competitors on role-tailoring but operate at the tool-call layer
without network/filesystem isolation — complementary, not substitutes.
**Outbound exfiltration (any injection class)**
Whatever triggers the agent — README injection, Agentjacking, MCP
description poisoning — the final step in most attacks is exfiltration.
bot-bottle's egress allowlist is default-deny with a per-bottle host
allowlist; unknown hosts get a hard 403. Outbound DLP scanning
(`outbound_detectors: [token_patterns, known_secrets]`) catches tokens
and secrets in outbound bodies; the `supervise` policy (default for
manifest routes) holds the request for operator approval rather than
silently blocking it. Together these limit what a successful injection
can *do* even if it succeeds at the model layer.
**LiteLLM / compromised-proxy attacks**
bot-bottle does not use LiteLLM. The model API route (e.g.
`api.anthropic.com`) is an auto-injected provider route on the egress
allowlist; the agent dials the gateway, not the model API directly.
A compromised third-party proxy is not in the architecture.
### Where it is weaker
**Prompt injection**
Egress controls and prompt injection defenses are orthogonal. Egress
limits what the agent can *send out* (outbound leg); prompt injection
is about what attacker-controlled data *tells the agent to do* (inbound
leg). The two don't substitute for each other and must be treated
separately.
The inbound DLP scanner (`inbound_detectors: [naive_injection_detection]`)
is the only runtime defense against injection arriving through allowlisted
channels — Sentry MCP responses, MCP tool descriptions, README content.
It is explicitly pattern-matching and will not catch a sufficiently
crafted payload. There is no semantic / intent-level gate between what
the model decides and what the agent executes.
**Blast radius within the permitted scope**
Inside a tightly-egressed sandbox a successful injection can't
exfiltrate to unknown hosts, but it still has real options:
- *Work product corruption.* The agent can modify, delete, or backdoor
files in the working directory. This is within its permitted scope;
egress controls have nothing to say about it.
- *Malicious commits past the git-gate.* The git-gate scans outbound
refs for secrets (gitleaks), not for semantic code intent. A prompt-
injected agent can commit subtly malicious code — logic bombs,
backdoored auth paths, code that exfiltrates data through the
application's own HTTP clients at runtime — that looks clean to a
secret scanner.
- *Exfiltration through allowlisted channels.* If an attacker knows or
can predict what hosts are in the egress allowlist, those channels are
available for exfiltration. A GitHub remote being allowlisted means
"push to an attacker-controlled fork" is viable. A logging endpoint
being allowlisted means structured data can leave through it. The
outbound DLP scanner catches credential tokens and known secrets but
not arbitrary business data.
- *Dependency installation within the sandbox.* An agent that runs
`npm install` or `pip install` on attacker-specified packages executes
code inside the sandbox with the same capabilities the agent has:
filesystem access, tool calls, calls to allowlisted hosts. Supply chain
injection via package names is in the same injection family, triggered
by the same prompt-injection path.
### What would close the remaining gaps
The blast-radius risks above point at two distinct mitigations that
don't yet exist in bot-bottle:
- *Outbound intent classification.* The egress addon today scans
outbound request content for token patterns. What it lacks is
awareness of context — it can't distinguish "agent is pushing a
legitimate commit" from "agent was injected and is pushing a backdoor."
The `supervise` policy is already the right shape for human-in-the-loop
review on sensitive outbound actions; extending it with context from
the agent's recent tool calls (what files were touched, what was the
triggering task) would narrow the gap.
- *Semantic code review on git push.* gitleaks is the wrong tool for
catching injected logic. A review step on outbound commits — even a
simple diff summary surfaced in `cli.py supervise` before the push is
forwarded — would close the malicious-commit path without requiring
the agent to be fully trusted.
## Sources
- [Ask HN: The new wave of AI agent sandboxes? (Mar 2026)](https://news.ycombinator.com/item?id=47444917)
- [OK, let's survey how everybody is sandboxing AI coding agents (Mar 2026)](https://news.ycombinator.com/item?id=47185250)
- [The agent harness belongs outside the sandbox (May 2026)](https://news.ycombinator.com/item?id=47990675)
- [Show HN: Nono Kernel-enforced sandboxing for AI agents (Feb 2026)](https://news.ycombinator.com/item?id=46849615)
- [Kernel-enforced sandbox for AI agents, MCP and LLM workloads (Feb 2026)](https://news.ycombinator.com/item?id=47066574)
- [Sandboxes will be left in 2026 (Feb 2026)](https://news.ycombinator.com/item?id=47006445)
- [Critical Cursor Flaws / DuneSlide The Hacker News](https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html)
- [Agentjacking Attack The Hacker News](https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html)
- [Friendly Fire: AI Agents Built to Catch Malicious Code The Hacker News](https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html)
- [Microsoft Warns Poisoned MCP Tool Descriptions The Hacker News](https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html)
- [MCP STDIO Command Injection Advisory OX Security](https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/)
- [LiteLLM Vulnerability Chain The Hacker News](https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html)
- [Red-Teaming the Agentic Red-Team (arXiv 2606.24496)](https://arxiv.org/pdf/2606.24496)