How do I sandbox AI agent code execution and shell or browser tools?

Sandboxing AI agent code execution and shell or browser tools requires isolating the agent's environment and strictly controlling its access to resources and external systems. This addresses the OWASP LLM Top 10 risk of "LLM04: Insecure Output Handling" by preventing malicious code execution or unintended actions.

Concrete controls for sandboxing AI agent code execution and shell or browser tools include:

• Kernel-level isolation: Utilize technologies like gVisor or Firecracker for container escape prevention, ensuring no host filesystem access and enforcing kernel-level resource limits. DefenseClaw offers optional integration with NVIDIA OpenShell sandboxing for kernel-level runtime isolation.
• Network access control: Restrict outbound network access for sandboxed environments, allowing connections only through a controlled broker.
• Ephemeral filesystems: Implement ephemeral filesystems for sandboxed environments to prevent persistent storage of potentially malicious data or code.
• Credential isolation: Ensure sandboxed environments do not have access to the agent's credentials.
• Tool broker and IBAC: Implement a tool broker that validates every tool call against the agent's identity, active intent token, and established policies. This broker enforces Intent-Based Access Control (IBAC) by normalizing heterogeneous tool calls to canonical actions and applying a single policy set across all agent runtimes. Policies can be granular, differing by agent identity, environment, resource context, and time-based rules.
• Lazy sandbox provisioning: Provision sandboxes only when an agent's tool call explicitly requires one, rather than at the start of a session, to optimize resource usage and reduce the attack surface for sessions that do not require execution.
• Filesystem isolation for multi-agent systems: For multi-agent architectures, ensure filesystem isolation between agents using worktrees to prevent one agent's writes from corrupting another's working tree.
• Container-native monitoring: Deploy lightweight agents inside containers at startup to enumerate running processes, loaded MCP servers, active LLM connections, and configured tool sets, addressing container and sandbox blind spots. This is crucial because host-level endpoint monitoring tools often cannot observe processes within a Docker container.
• Tool-call validation gates: Implement schema validation, allowlisted tools/actions, and parameter constraints for every tool call. Schema validation is a cost-effective and efficient check to interrupt attacks where agents produce malformed responses.
• Intent re-verification: Before any consequential action, the system should re-derive whether the action aligns with the originally declared intent, operating from the attested intent rather than the agent's potentially corrupted current reasoning.
• Runtime enforcement and dynamic intervention: Establish runtime controls as a last line of defense, with verification checks at each step against policy and intent. When verification fails, enforcement actions can include blocking, redacting, transforming, escalating, or quarantining. Dynamic intervention allows for updating behavior in real-time without redeployment.
• Complete mediation and defense in depth: Ensure every action passes through a verification point (complete mediation) and implement multiple independent verification layers (defense in depth) so that an attacker must defeat all layers while the defender only needs one to catch an attack.