Sandbox Security FAQs

Question 1

Will running code in a sandbox slow down my workflow?

Accepted Answer

No. Thanks to sub-125ms boot times and a daemon mode that maintains pre-warmed pools of sandboxes, the execution speed is nearly indistinguishable from running commands natively.

Question 2

What is the difference between security profiles?

Accepted Answer

The 'restrictive' profile offers no network and a read-only filesystem; 'moderate' (default) allows network but no host mounts; and 'permissive' allows network access, environment passthrough, and filesystem mounts.

Question 3

Can I restrict internet access for specific commands?

Accepted Answer

Yes, you can use the 'restrictive' security profile or the '--no-network' flag to completely block network access, providing maximum isolation for sensitive or untrusted operations.

Question 4

Which programming languages does the sandbox support?

Accepted Answer

The skill automatically detects and configures runtimes for a wide array of environments, including Python, Node.js, Rust, Go, Ruby, Java, PHP, C/C++, .NET, and Terraform.

Question 5

How does the Sandbox skill protect my host system?

Accepted Answer

It leverages agentkernel to wrap commands in isolated containers or Firecracker microVMs, ensuring that executed code cannot access your host filesystem, credentials, or network unless you explicitly grant permission via security profiles.

Sandbox Security

主要功能

使用场景

Sandbox Security

主要功能

使用场景