January 30, 2026
Baby gate for rogue bots
Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents
AI agents get a “safe sandbox” — devs cheer while skeptics yell “escape hatch”
TLDR: Amla Sandbox lets AI agents run scripts in a locked-down WebAssembly sandbox, aiming for fast “code mode” without risking your machine. Commenters split: supporters praise the lean, container-free isolation, while skeptics worry exposed tools are escape routes and wonder about missing Python/JS support and standard command tools.
Amla Sandbox just dropped a “WASM playpen” for AI agents, promising code-mode speed without the usual “oops-my-computer” risk. It runs scripts inside WebAssembly (a safe, tiny virtual machine), with no network, a fake file system, and strict permission rules so the bot only touches the tools you allow. Fans love the pitch: one script replaces ten pricey back-and-forth tool calls, cutting the “token tax.” The team touts memory safety and a hardened runtime, plus a one-binary install—no Docker drama. After recent agent framework scares and CVEs, commenters are thirsty for anything that doesn’t exec random bash. Check the project on GitHub.
Then the comments lit up. One camp cheers the security model—westurner waved the README receipts—while skeptics like quantummagic warn: if you expose tools, those tools become escape hatches. Wasm celeb syrusakbary says this is the future of containers, but flags limits today (not full Python, partial JavaScript) and plugs Wasmer. Others clap the pragmatism: asyncadventure loves the lean footprint (11MB vs 173MB), calling it the “sweet spot.” The practical crowd asks: “What about Unix favorites like grep/jq/curl?” sd2k notes they’d need WASI builds—cue memes of “lock up your curl.” Verdict: hype meets homework, and everyone’s measuring the baby gate.
Key Points
- •amla-sandbox is a WebAssembly-based sandbox that runs LLM-generated code with strict capability enforcement, no network, and no shell escape.
- •It targets security risks in agent frameworks that execute model output via exec/subprocess, citing examples like LangChain, AutoGen, and SWE-Agent.
- •Compared to Docker-based isolation, amla-sandbox offers a single-binary, no-VM solution with a sandboxed virtual filesystem.
- •The approach aims to reduce tool-calling costs by allowing code-mode scripts to perform multiple operations while enforcing per-tool capabilities, constraints, and call limits.
- •The security model relies on WASM+WASI isolation using wasmtime and capability-based security principles inspired by seL4, with examples of constrained Stripe API calls.