Tuscan Agency
How We Sandbox AI Agents That Have Sudo Access
Jarred Porter

Jarred Porter

Automation

How We Sandbox AI Agents That Have Sudo Access

May 26, 2026

When an AI agent can run shell commands, the risk model changes fast. Here is how engineers are structuring sandboxed environments for automation tools like Make.com, n8n, and Claude Code.

Giving an AI agent shell access is not the same as giving it a keyboard shortcut. When an agent can run arbitrary commands, a single misfire can wipe a directory, overwrite production config, or silently exfiltrate data before anyone notices.

The Risk Model Is Different Than Most Teams Assume

Most security thinking around software focuses on external attackers. With AI agents that have elevated system access, the threat is internal and accidental. A developer on r/LocalLLaMA described their experience testing OpenAI Codex in an agentic loop: the model confidently executed a shell sequence that looked locally correct but was destructive in the context of the actual filesystem layout. The post drew hundreds of comments from engineers who had seen similar behavior, where the agent was not malicious but was wrong in a way that mattered.

The core issue is that large language models generate plausible-looking commands without a real model of your system state. When that output feeds directly into a shell process running as root or a privileged service account, plausible-looking is not good enough. The failure mode is not a hacked agent. It is a confidently incorrect one.

What a Real Sandbox Actually Requires

A sandbox for an AI agent with shell access needs at least three layers to be meaningful. First, filesystem isolation. The agent should not be able to read or write outside a defined working directory. Docker volumes, Linux namespaces, and tools like Firejail or gVisor all enforce this at the kernel level, which is harder to escape than application-level path checking. Second, network egress controls. An agent that can exfiltrate data over an outbound HTTP call defeats the point of filesystem isolation. Egress filtering via iptables rules or a sidecar proxy is standard in production setups. Third, privilege separation. The process running agent-generated commands should never be the same process that owns application secrets or production credentials. A dedicated low-privilege user with scoped permissions limits blast radius even if the first two layers fail.

Engineers reporting on production deployments consistently flag that most teams skip layer two. Filesystem isolation gets implemented early because it is visible. Network controls get deferred because they are annoying to configure and easy to miss in local development.

How This Plays Out Across Common Automation Stacks

The sandboxing challenge looks different depending on which tooling is in use. In Make.com, agents operate through HTTP modules and API calls rather than direct shell access, so the risk surface is credential leakage and scope creep in connected app permissions rather than raw command execution. The mitigation is tight OAuth scopes and dedicated service accounts per automation, not per team.

In n8n, the Execute Command node changes the picture entirely. A workflow that chains an LLM response into an Execute Command node is functionally giving the model shell access on whatever host runs n8n. Teams running self-hosted n8n in production are advised by the n8n documentation itself to disable that node in environments where untrusted data flows through the workflow. Few do. Running n8n inside a Docker container with a restricted user and no host volume mounts is the minimum viable isolation for workflows that touch any LLM output.

With Claude Code and similar agentic coding tools, Anthropic ships the tool with a permission system that prompts before executing certain action categories. But that guardrail is advisory, not enforced at the OS level. Developers using Claude Code in headless or automated modes, common in CI pipelines, often disable the interactive prompts entirely, removing the last human checkpoint. The recommended pattern from engineers who have documented this publicly is to run Claude Code inside a throwaway container with a snapshot of the repo, then diff the output before applying it anywhere persistent.

The Minimum Viable Sandbox for Client Automations

For agencies and developers shipping automations to clients, the practical baseline that shows up repeatedly in practitioner writeups covers four points. Use a dedicated service account or API key for each automation, scoped to exactly the permissions the workflow needs and nothing else. Run any workflow that can execute code or shell commands inside a container or VM that is not your production environment. Log every action the agent takes before it is committed, not after. And build a kill switch, meaning a way to pause or disable the automation without touching the underlying system, into every deployment from day one.

Stacks like Next.js on Vercel and Supabase make the service account model straightforward because both platforms support fine-grained API tokens. The harder discipline is enforcing it consistently across every workflow, including the quick ones that get stood up fast and never reviewed again.

Why This Matters More as Models Get Better

A common response to sandboxing concerns is that the model will eventually be smart enough not to make destructive mistakes. That framing gets the risk backwards. More capable models execute more complex action sequences, which means a mistake at step eight of a twelve-step agentic task is harder to detect and harder to reverse than a mistake at step one. Capability growth is not a reason to relax sandboxing. It is a reason to invest in it earlier.

OpenAI, Anthropic, and Google have all published guidance in 2024 and 2025 around agentic safety that explicitly calls out privilege minimization and action reversibility as core requirements, not nice-to-haves. The r/LocalLLaMA thread on Codex sandboxing is one data point in a much larger pattern: the teams reporting clean agentic deployments are the ones who treated the sandbox as a first-class engineering concern before they gave the model a shell.

The structure that holds up in practice is simple: isolate the filesystem, restrict egress, separate privileges, and log before committing. Any automation that touches shell commands or executes code on behalf of an LLM deserves that treatment from the first deploy, not after something goes wrong.

Tuscan Agency

Start a project.

https://

Start a project.

Tell us what you’re trying to build — a new website, an automation system, an AI tool, or all three. We respond within two business days.

Two-business-day response.

Standard from day one. Written into every contract.

Honest scope.

Fixed price, written scope, no surprise invoices. $100/hr pre-approved overage if scope shifts.

Jarred Porter

Founder

Jarred Porter

Ask directly