Full power.
Full safety.
No compromise.

The sandbox runtime that ends the AI agent dilemma — agents run without restrictions, your host stays completely untouched. Powered by your existing Claude Code & Codex subscriptions, not per-token API billing.

Get Started GitHub →

YOUR HOST Mac Mini · localhost

SANDBOX

NO HOST NET NO HOST FS CREDS SAFE

🛡

HOST UNTOUCHED

agent ran free · host saw nothing

How It Works

One daemon, many sandboxes, unlimited agents

Start Daemon

One daemon per host. Manages all networks, mounts, and credentials.

1 HOST → 1 DAEMON

Create Sandboxes

One daemon creates N isolated sandboxes. Each has its own network and filesystem.

1 DAEMON → N SANDBOXES

Run Agents

Each sandbox runs M agents. Claude Code, Codex, or any CLI — all in parallel.

1 SANDBOX → M AGENTS

Get Results

Agents deliver code, commits, PRs back to host. Sandboxes destroyed — host untouched.

M RESULTS → HOST · SANDBOX → ∅

Core Features

Everything your agents need. Nothing your host risks.

Unrestricted Agents

Agents install anything, run anything, break anything — inside the sandbox. Zero permission prompts. Zero manual approvals. Full autonomy.

$ npm install tensorflow-gpu

✓ 847 packages installed

$ python train.py --epochs 500

✓ Running at full speed...

$ curl api.openai.com/v1/chat

✓ Internet open — host safe

Complete Host Isolation

No host filesystem access. No host network access. No exceptions. A bad agent command destroys only the sandbox — never your machine.

Subscriptions Work Out of the Box

Your Claude Code and Codex CLI subscriptions work immediately inside sandboxes — one command to launch, no API keys, no per-token billing. SSH agent and GitHub CLI auth inherited automatically.

Internet Fully Open

Agents freely download packages, call external APIs, clone repos. Internet is open — your internal network is permanently blocked.

Local-First — No Dedicated Machine

No need for a dedicated Mac Mini or remote VPS. Sandboxes run on your existing machine with VM-level isolation. Zero latency, zero cost, data never leaves. Same daemon and SDK work in cloud deployments when you need to scale.

Security Model

Every guarantee is enforced by the platform — not reliant on agent behavior

Layer	Mechanism	Status
Host network	Each sandbox gets its own isolated Docker network. Cannot reach `localhost`, host services, or the local network.	blocked
Internet access	Agents freely download packages, call APIs, clone repos, and interact with the outside world.	open
Host filesystem	Zero access by default. Only explicitly declared mounts are allowed; the daemon rejects anything unsafe.	invisible
Credentials	Only daemon-defined shortcuts (SSH forwarding, gh CLI auth) can enter. Fixed rules — no arbitrary host path passthrough.	minimal
Cleanup	All runtime resources (containers, networks, filesystem state) fully removed on delete. No orphans, no leaks.	complete

Why Not Built-in Sandboxes?

Codex and Claude Code both have sandboxes. Neither actually solves the dilemma.

	Restricted mode Codex workspace-write / Claude Code default	Unrestricted mode Codex danger-full-access / Claude Code --dangerously-skip-permissions	Agents Sandbox
git commit / push	✗ Blocked or needs approval	✓ Works	✓ Works
Install deps, build, test	Partial — may trigger approval	✓ Works	✓ Works
Network access	All (host exposed) or nothing	All (host exposed)	Internet yes, host blocked
Approval prompts	Frequent	✗ None — all bypassed	✓ None needed
Host filesystem	Full-disk readable	Fully read & writable	Invisible — declared mounts only
Other projects on machine	Readable	Readable & writable	Invisible
Credential exposure	Inherits host environment	Inherits host environment	Only explicit projections (SSH agent, gh auth)
Host safety	Partial	None	Full — host untouched
Blast radius of a bad command	Limited writes, but host readable	Entire host machine	Only the disposable sandbox
Dedicated hardware required	Runs on bare host — needs separate machine for safety	Runs on bare host — needs separate machine for safety	No — VM-level isolation on your existing machine
Cost model	Flat-rate subscription, but host at risk	Flat-rate subscription, but host at risk	Same subscriptions, fully isolated — no extra cost

Quick Start

Your Claude Code & Codex subscriptions, fully isolated in one command

# Install agents-sandbox (daemon starts automatically) $ curl -fsSL https://agents-sandbox.com/install.sh | bash # Run interactive Claude Code in an isolated sandbox with full permissions. # Equivalent to running: claude --dangerously-skip-permissions $ agbox agent claude # Run interactive Codex in an isolated sandbox with full permissions. # Equivalent to running: codex --dangerously-bypass-approvals-and-sandbox $ agbox agent codex

View full documentation →