Sandboxed AI Agent Deployment: The Real Risks of 2 Lines of Code
onprem.llmagentexecutorai agentsandboxed executionllm deploymentdockerpodmanai securitydeveloper toolsollamapatchpalmitre att&ck

Sandboxed AI Agent Deployment: The Real Risks of 2 Lines of Code

By Daniel MarshMarch 18, 2026

The Incident

The ease of sandboxed AI agent deployment in just two lines of code, often cited in reference to the OnPrem.LLM Agent pipeline's AgentExecutor component, showcases how quickly developers can get started. This framework supports both popular cloud-based models (e.g., openai/gpt-5.2-codex, anthropic/claude-sonnet-4-5, gemini/gemini-1.5-pro) and local options (e.g., Ollama (ollama/llama3.1), vLLM (hosted_vllm/), or llama.cpp via an OpenAI interface). This minimal setup, typically involving instantiation and execution with sandbox=True, makes it easier for developers to experiment with isolated sandboxed AI agent environments.

The Mechanism

The OnPrem.LLM AgentExecutor integrates the PatchPal coding agent with LiteLLM-supported models, providing strong support for tool use. Nine built-in tools are available by default, including read_file, read_lines, write_file, edit_file, grep, find, web_search, web_fetch, and notably, run_shell. Agents operate within a specified working_dir, restricted by default from accessing files outside this scope.

Activating sandbox=True during AgentExecutor initialization isolates the agent within an ephemeral Docker or Podman container. This provides a clean, reproducible environment, protecting the host file system from direct modification and ensuring automatic cleanup. This mechanism is central to effective sandboxed AI agent deployment. The trade-off is a 5-10 second container startup overhead, requiring Docker or Podman on the host.

The "2 lines of code" typically refer to:

  1. from onprem import AgentExecutor
  2. agent = AgentExecutor(model="ollama/llama3.1", sandbox=True)

Alternatively, the second line could be agent.run("Perform a task.") after instantiation.

This minimal example, while functional, operates under several implicit assumptions:

  • The necessary container runtime (Docker or Podman) is already installed and configured on the host.
  • The chosen LLM (e.g., ollama/llama3.1) is accessible and properly configured, including context window settings if it's a local model.
  • The onprem and patchpal libraries are pre-installed.
  • The agent's task is straightforward enough to be handled by default tools and configurations, without requiring custom tools, specific resource limits, or advanced working_dir setups.

Sandboxing provides critical isolation; however, it's not a complete solution. While the sandbox protects the host's integrity from direct file system manipulation, the run_shell tool, enabled by default, still presents a significant attack vector *within the container's ephemeral environment*. An agent could execute arbitrary scripts to cause resource exhaustion or data corruption *within the container's view of the working_dir*.

Even with sandboxing, if sensitive data is mounted into the agent's working_dir or fetched via web_fetch, the agent can still process and potentially exfiltrate this data. This aligns with MITRE ATT&CK techniques such as T1041 (Exfiltration Over C2 Channel) or T1048 (Exfiltration Over Alternative Protocol), where an agent, if prompted maliciously, could use network-enabled tools like web_search to transmit sensitive information to an external adversary-controlled endpoint.

Terminal window showing two lines of code for sandboxed AI agent deployment, with server infrastructure in the background.

Consequences of Simplified Sandboxed AI Agent Deployment

The "2 lines of code" approach for sandboxed AI agents offers clear benefits, yet it also brings serious operational and security risks if developers don't fully understand its implications.

Positive Impact

  • The minimal setup significantly lowers the barrier for developers, enabling rapid experimentation and iterative development in isolated environments, thus accelerating prototyping for new agent-based applications.
  • Sandboxing provides essential isolation, protecting the host system from unintended changes and addressing a key concern about running untrusted AI code.

Potential Risks

The apparent simplicity of launching a sandboxed agent might give developers a false sense of complete security. This ease of sandboxed AI agent deployment often overlooks critical security configurations. The two lines of code do not configure critical aspects like resource limits, specific tool whitelisting, or hardened container images, which are all vital for production environments.

Beyond initial launch, managing, monitoring, and scaling these agents in production adds considerable management complexity. This includes container lifecycle management, robust logging, performance monitoring, and incident response for agent misbehavior.

If the run_shell tool remains enabled by default, an agent, even within a sandbox, could be prompted to execute malicious commands or scripts. This directly maps to MITRE ATT&CK T1059 (Command and Scripting Interpreter), specifically T1059.004 (Unix Shell). While the host is protected, the integrity of data and processes *within* the container could be compromised. For instance, an agent could be coerced to delete critical files within its `working_dir` (e.g., `rm -rf ./*`) or launch an infinite loop, leading to resource exhaustion or data corruption *within the container's ephemeral environment*.

If an agent is granted access to sensitive data within its `working_dir` or through tools like web_fetch, the sandbox primarily isolates the *execution environment* from the host. It does not inherently prevent the agent from processing, manipulating, or attempting to exfiltrate that data via other allowed network-enabled tools if prompted to do so. This is a direct exfiltration risk, aligning with MITRE ATT&CK T1041 (Exfiltration Over C2 Channel), where the agent acts as an unwitting insider, transmitting data to an external destination.

Without explicit resource limits configured for the Docker/Podman container, an agent could be prompted to perform computationally intensive tasks. This can lead to resource exhaustion *within the container*, which, if unchecked, can impact the host system by consuming all available CPU or memory. This scenario aligns with MITRE ATT&CK T1499 (Endpoint Denial of Service), where an adversary aims to degrade or interrupt system availability through resource abuse.

Securing Sandboxed AI Agent Deployment in Production

OnPrem.LLM offers key ways to reduce the risks of running autonomous agents. These controls are vital for secure sandboxed AI agent deployment. The primary control is sandbox=True, which leverages containerization for isolation. Beyond this, the framework allows for explicit control over agent capabilities through disable_shell=True to remove shell access, and enabled_tools=['tool1', 'tool2'] to whitelist specific tools, only granting the minimum necessary permissions. The default restriction of agents to their working_dir also contributes to containment.

Transitioning from a two-line demonstration to a secure, robust production sandboxed AI agent deployment requires a more thorough security approach.

Developers must move beyond default tool configurations. Explicitly defining `enabled_tools` to grant only necessary capabilities is a critical step in minimizing the attack surface. For instance, `disable_shell=True` should be the default unless the `run_shell` tool is absolutely essential for the agent's function. When `run_shell` is enabled, its use must be carefully evaluated and managed, much like privileged commands in a `sudoers` file, to prevent an agent from executing arbitrary commands that align with MITRE ATT&CK T1059 (Command and Scripting Interpreter) within its container.

Granular resource limits (CPU, memory, network bandwidth) are indispensable for agent containers. Implementing these limits, for example, using `docker run --cpus="0.5" --memory="512m"`, prevents individual agents from consuming excessive host resources. This directly mitigates potential denial-of-service scenarios, aligning with MITRE ATT&CK T1499 (Endpoint Denial of Service), by containing resource abuse within the allocated container environment.

Furthermore, deploying agents within minimal, hardened container images, such as those built upon `python:3.11-slim` with only essential dependencies, reduces the overall attack surface. A rigorous patching schedule is essential to address known vulnerabilities, as evidenced by the rapid patching cycles for critical system libraries like `glibc` (e.g., CVE-2024-2961) or `OpenSSL` (e.g., CVE-2023-5678), which can otherwise be exploited even within a containerized environment.

Robust input validation and sanitization upstream are crucial to mitigate adversarial attacks that manipulate agent behavior. This directly addresses prompt injection, a form of adversarial prompting (MITRE ATT&CK T0880), akin to preventing SQL injection at the application layer. By carefully filtering and validating user inputs, organizations can prevent malicious prompts from coercing agents into unintended or harmful actions.

Extensive monitoring for agent activity, tool usage, and container health is a non-negotiable practice. All agent actions, particularly those involving file system access or network requests, must be meticulously logged. This granular logging is vital for auditing, enabling the detection of anomalous behavior that might indicate an attempted exfiltration (T1041) or unauthorized command execution (T1059), and providing the necessary forensic data for incident response.

Sensitive data should never be unnecessarily exposed within the agent's `working_dir` or made accessible via its tools. Implementing strict access controls for any data sources the agent interacts with, adhering to the principle of least privilege, is paramount. This minimizes the blast radius should an agent be compromised and prevents unauthorized data access or exfiltration attempts.

For production deployments, agents must be integrated into a secure orchestration framework. Solutions like Kubernetes, with its robust Role-Based Access Control (RBAC) and network policies, provide automated deployment, scaling, policy enforcement, and secure credential management. This moves far beyond simple instantiation, offering a controlled environment to manage the lifecycle and security posture of numerous agents.

Finally, developer education is not merely beneficial; it is essential. The critical distinction between easily *launching* an agent in two lines of code and *running it securely in production* must be unequivocally clear. Organizations should provide explicit guidelines and best practices for hardening, monitoring, and managing sandboxed AI agents throughout their lifecycle, addressing common misconceptions about the 'set it and forget it' mentality that simplified deployment can foster. This proactive approach helps prevent security oversights that could lead to significant breaches.

While the "2 lines of code" highlight how easy it is to start with sandboxed AI agent deployment, true security means seeing this simplicity as just the beginning, not the final step, for any deployment beyond basic testing. History in software development shows that ease of deployment often comes before facing serious security challenges.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.