Agent sandbox

An agent sandbox is the isolated execution environment where an LLM-driven agent runs code, browses, or controls a desktop — the safety boundary that contains prompt-injection blast radius.

Production agents need isolation: a code-running agent shouldn't `rm -rf /`, a computer-use agent shouldn't make purchases, a browser agent shouldn't post to private channels. Sandboxes provide that boundary. Common forms: ephemeral Docker containers (E2B, Daytona, Modal), microVMs (Firecracker via Fly Machines), browser sandboxes (Browserbase, Browserless), WebContainers (StackBlitz). The sandbox should be ephemeral (new instance per session), network-restricted (allowlist outbound, no inbound), credential-free (agent shouldn't have prod tokens), time-limited (kill after N minutes), and resource-limited (CPU/memory caps). Without a sandbox, prompt injection from any retrieved content can execute arbitrary actions in your environment.

When to use agent sandbox

• Any production agent that runs code or controls a desktop.
• Browser agents touching authenticated sessions.

Common mistakes

• Sharing a single sandbox across users — one session's state leaks to the next.
• Giving sandbox access to prod credentials — defeats the point.

FAQ

Related terms

• Computer use — Computer use is the agent capability where an LLM controls a real desktop or browser via screenshots + mouse/keyboard primitives — Anthropic introduced it in 2024 and it's mainstream across Claude, GPT, Gemini in 2026.
• Browser agent — A browser agent is an LLM-driven system that controls a real or headless web browser to navigate sites, fill forms, click, and extract data — automating tasks that require interacting with web UIs.
• Prompt injection — Prompt injection is an attack where hostile content in a model's input (a webpage, a retrieved document, a user message) overrides the system prompt's instructions.

Last updated: 2026-06-01. Raw markdown: https://promtable.com/glossary/agent-sandbox.md.