February 27, 2026
Sandbox smackdown
We Built Secure, Scalable Agent Sandbox Infrastructure
Tiny VMs for AI agents spark cheers, side-eye, and “security theater” vibes
TLDR: Browser Use moved its AI agents into isolated mini virtual machines and a separate control center so the bots can’t touch secrets. Commenters split: some say it’s standard, others call the security weak and argue the real threat is tricking the AI itself with prompt injections.
Browser Use just put its AI agents in super-tiny virtual machines (think mini rooms with locked doors) and moved all the secrets to a “control plane” — a mission-control server that does the talking to the outside world. In plain terms: the bots live in a box, the keys live somewhere else. Production uses Unikraft micro‑VMs (Unikraft), while dev runs the same image in Docker. They even strip environment variables and drop privileges so the bot can’t snoop. Sounds neat — but the crowd is split.
The calm crew says this is pretty standard and wants the juicy details, with yakkomajuri asking for a plug‑and‑play setup. The optimists (like Bnjoroge) are hyped that this could finally push “unikernels” — ultra‑light virtual machines — into the mainstream. Some veterans, like jeremyjacob, nod that Unikraft’s developer experience has improved since last year.
Then comes the drama: orf calls the “hardening” steps security through obscurity, roasting the idea that deleting source files and environment variables is real protection. And cedws drops the spiciest take — that sandboxes don’t matter if large language models can be prompt‑injected (basically tricked into bad behavior), turning every server, website, and file into a booby trap. Cue memes about “baby jail for bots” and “mission control babysitting the AI.” The mood: smart architecture, big debate, popcorn-worthy comments.
Key Points
- •The infrastructure moved from tool isolation to agent isolation, making agents disposable and secret-free.
- •Production runs each agent in its own Unikraft micro-VM, provisioned via Unikraft Cloud’s REST API on AWS bare metal.
- •Only three environment variables (SESSION_TOKEN, CONTROL_PLANE_URL, SESSION_ID) are passed into the sandbox; no secrets are exposed.
- •Unikraft provides scale-to-zero by suspending idle VMs and resuming on demand; sandboxes are distributed across multiple metros.
- •Pre-execution hardening includes Python bytecode-only execution, privilege drop via setuid/setgid, and environment variable stripping.