← Back to blog
/8 min read/thane team

Why Your AI Coding Agent Needs a Sandbox

AI coding agents run with your full user permissions. Here's why that's dangerous and what you can do about it.

securitysandboxingai-agents

The problem: AI agents run with your permissions

When you launch Claude Code, Cursor, or Codex in your terminal, the agent inherits every permission your user account has. It can read your SSH keys, access your AWS credentials, browse your browser history, and execute any command you could run yourself.

This isn't a bug — it's how Unix processes work. But it means a single hallucinated rm -rf ~/ or a prompt injection in a dependency's README could wipe your home directory before you can react.

Most developers accept this risk because the alternative — not using AI agents — feels worse. But there's a better option.

Real risks, not hypothetical ones

These aren't theoretical attacks. Here's what can go wrong when an AI agent runs unsandboxed:

Environment variable exfiltration. Your shell environment contains API keys, database URLs, and cloud credentials. An agent can read $AWS_SECRET_ACCESS_KEY and embed it in a curl command to an external server — and it will look like a normal API call in your terminal output. Destructive commands. A confused agent might run git push --force to the wrong branch, drop a database table while "cleaning up," or delete files outside the project directory. The agent doesn't know the blast radius of its actions. Supply chain attacks via prompt injection. When an agent reads a malicious package's README or a crafted GitHub issue, the injected instructions can hijack the agent's behavior. The agent might install a backdoored dependency or exfiltrate code — all while appearing to work normally. Lateral movement. An agent working on project A can freely read the source code, credentials, and git history of project B sitting in a sibling directory. There's no workspace boundary.

What sandboxing actually means

Sandboxing is the practice of restricting what a process can do at the operating system level. It's not a Docker container or a VM — it's a set of kernel-enforced rules that limit file access, network connections, and system calls.

On Linux, modern sandboxing uses two kernel features:

  • Landlock restricts filesystem access. You define which paths are readable, writable, or completely denied — and the kernel enforces it. A sandboxed process literally cannot open files outside its allowed paths, even if it runs as your user.
  • seccomp (secure computing mode) restricts which system calls a process can make. You can block dangerous calls like ptrace, mount, or reboot while allowing normal operations like file I/O and networking.
On macOS, App Sandbox provides similar guarantees through the Seatbelt framework — declaring entitlements that limit file access, network usage, and inter-process communication.

The key property of OS-level sandboxing is that it's mandatory and tamper-proof. The sandboxed process cannot disable or circumvent the restrictions because they're enforced by the kernel, not by the application itself.

Beyond sandboxing: visibility and control

Sandboxing stops the worst-case scenarios, but running AI agents safely requires more than just restrictions:

Audit trails. You need to know what the agent did — which files it accessed, which commands it ran, which network connections it made. A tamper-proof log with SHA-256 hash chaining means neither the agent nor anyone else can retroactively alter the record. Cost tracking. AI agents burn through API tokens fast. Per-workspace cost tracking lets you see which tasks are expensive and set budgets before a runaway agent racks up a surprise bill. Queue management. Running one agent at a time is manageable. Running five concurrently is chaos without a task queue that handles priority ordering, dependency chaining, and token limit pauses. Sensitive data detection. Even with sandboxing, an agent might handle data it shouldn't log or transmit. Real-time PII and credential detection in terminal output catches leaks before they become incidents.

How thane solves it

thane is a terminal workspace manager built from the ground up for AI coding agents. Every workspace gets:

  • Per-workspace Landlock + seccomp sandboxing — define read-only paths, read-write paths, and denied paths per workspace. The agent can access project files but not your SSH keys or other projects.
  • Network isolation — optionally block all outbound network access, or restrict it to specific hosts. No surprise curl commands to unknown servers.
  • Tamper-proof audit log — every security-relevant event (file access, command execution, network connections) is logged with SHA-256 hash chaining. Export to JSON for compliance or forensics.
  • Agent queue with headless execution — submit tasks via CLI, chain dependencies, pause on token limits. Each task runs in its own sandboxed workspace without a GUI.
  • Real-time cost tracking — see token usage and API costs per workspace, per agent, per task.
  • Sensitive data detection — flags credentials, API keys, and PII in terminal output before they reach a log file or are transmitted.
All of this runs locally on your machine. No cloud services, no per-minute billing, no data leaving your laptop.

Getting started

thane is free and open source (AGPL-3.0). Install it in under a minute:

Linux

curl -fsSL https://getthane.com/install.sh | bash

macOS

Download the latest DMG from getthane.com.

From source

git clone https://github.com/MaranathaTech/thane.git
cd thane
cargo build --release

Star the repo on GitHub: github.com/MaranathaTech/thane

thane is built with Rust, GTK4, and a healthy dose of paranoia about what AI agents do when you're not looking.