Cloudberry Engineering

Agentbox

Sat, 07 Mar 2026 00:40:02 +0100

Since there are so many to choose from, I built my own sandbox for local coding agents. I use it within my homebrew agent orchestrator running Ralph loops.

The sandbox is this, and builds on the mental models I sketched here.

What stands out compared to competitors:

Focus is user experience: it’s an abstraction on top of a container, but it’s simpler to setup with a high level config file that I sarcastically baptized Agentfile.
The networking boundary talks back to the agent, to avoid hallucinatory loops where the agent tries really hard to reach a remote destination that is blocked.

On Sandboxing Agents

Sat, 07 Mar 2026 00:26:17 +0100

I am still on a quest to stay out of the loop with coding agents, to reach warp speed yoloness. So I am obsessing over sandboxes.

Can I put an agent in a box, give it a task and go to sleep? There are tons of solutions right now but it’s hard to tell which is the right approach.

The reason is that sandboxing agents isn’t one problem but at least two. A local sandbox on a developer machine and a remote multi-tenant sandbox serve different threat models, require different controls, and fail in different ways. Treating them as the same leads to the wrong tradeoffs.

Agent Sandboxes

Wed, 04 Feb 2026 14:32:36 +0100

I am forcing myself to stay out of the loop, and I am looking at ways to sandbox coding agents running without supervision. I do have my own container based setup but I am curious to see what’s everyone else cooking. This is what I found so far:

docker sandbox https://docs.docker.com/ai/sandboxes/

create a microvm with a private docker daemon inside
agents run in containers inside the microvm
the use case for this seems to be coding agents that need to orchestrate containers, removing the hassle to mount the host docker socket into a container

https://github.com/trailofbits/claude-code-devcontainer

GH Issues Considered Dangerous

Mon, 02 Feb 2026 21:29:04 +0100

We are moving towards a place where ticketing systems will become an important component to protect, akin to CI/CD.

Tickets are a new source of untrusted input we need to account for when threat modeling against prompt injections.

Ghostty only allows maintainers to create issues, seems to me they figured out a cheap and pragmatic security policy by accident.

Claude Code Sandbox

Tue, 27 Jan 2026 23:13:42 +0100

How does Claude Code sandbox work when used with --dangerously-skip-permissions? It does’t, since Claude asks permission to evade the sandbox, and yolo mode automatically allows it.

Normal:

Your bash commands will be sandboxed. Disable with /sandbox.

❯ list the files in ~/Downloads and then write an empty file in that directory named SANDBOXTEST

⏺ Read 1 file (ctrl+o to expand)

⏺ Write(~/Downloads/SANDBOXTEST)
  ⎿  Wrote 1 lines to ../../../Downloads/SANDBOXTEST
      1 (No content)

⏺ Done. Listed the files in ~/Downloads (there are many files including PDFs, STL files, images, and various other documents) and created an empty file
  named SANDBOXTEST in that directory.

❯ use `touch` to touch the SANDBOXTEST file

⏺ Bash(touch ~/Downloads/SANDBOXTEST)
  ⎿  Error: Exit code 1
     touch: /Users/g/Downloads/SANDBOXTEST: Operation not permitted

⏺ The sandbox blocked that operation since ~/Downloads is outside the allowed write paths. Let me retry with the sandbox disabled.

<asks to touch SANDBOXTEST without sandbox>

With --dangerously-skip-permissions:

How I Think About Agentic Risks

Sun, 21 Dec 2025 18:11:01 +0100

Fully aware that this might be obsolete in half a year, this is my current mental model to reason about AI Agents risks.

This is based largely on my experience in assessing AI systems in the last two years, and applying prior art into my day to day work.

Of everything I digested in current literature the two most influential pieces have been the Google AI Agent security framework and the Lethal Trifecta and the public discourse around it.

Coding Agents Security Theater

Thu, 04 Dec 2025 23:29:10 +0100

Security is hard so let’s skip it. Although the author is not wrong:

If you look at the security measures in other coding agents, they’re mostly security theater. As soon as your agent can write code and run code, it’s pretty much game over. The only way you could prevent exfiltration of data would be to cut off all network access for the execution environment the agent runs in, which makes the agent mostly useless. An alternative is allow-listing domains, but this can also be worked around through other means.

Finding vulnerabilities with LLMs

Wed, 03 Sep 2025 08:51:16 +0200

Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex. Super interesting to see some benchmarks.

Traditional rule based detection can’t find complex vulnerabilities and even potentially detectable issues might go unnoticed as false negatives. This helps answer the question whether LLM could be integrated to cover this blind spot.

They could! But the problem is the noise:

AI Coding Agents Find Real Vulnerabilities: Claude Code found 46 vulnerabilities (14% true positive rate – TPR, 86% false positive rate – FPR) and Codex reported 21 vulnerabilities (18% TPR, 82% FPR). About 20 of these are high severity vulnerabilities.

The nx Breach

Mon, 01 Sep 2025 18:49:04 +0200

How did they breach nx to publish a malicious package?

It started with the nx team introducing a bash injection vulnerability in a new github workflow:

      - name: Create PR message file
        run: |
          mkdir -p /tmp
          cat > /tmp/pr-message.txt << 'EOF'
          ${{ github.event.pull_request.title }}
          
          ${{ github.event.pull_request.body }}
          EOF

Both ${{ github.event.pull_request.title }} and ${{ github.event.pull_request.body }} are untrusted content that is directly used inside the run context of the workflow.

How to Sell to Security Teams

Wed, 15 May 2024 19:04:24 +0200

Context

I wrote this some time ago as an internal memo for marketing and product to help craft value propositions to sell security tools to security teams.

I’ve noticed some confusion around the objectives of security teams and I’d like to share my perspective, hoping to clarify matters. Please note that these are just my opinions based on my experiences as a security persona across various organizations.

What is the goal of a security program?

Foundations of a Multi-Cloud Security Strategy

Sat, 28 Nov 2020 21:23:05 +0100

I’ve spent a good year working on a security strategy to manage multi-cloud environments, in this article I want to share what I wish we did in advance to be better prepared.

The Quirks of Apps Script and Google Cloud

Sun, 15 Nov 2020 20:30:25 +0100

Using Apps Script for scripting GSuite / Google Workplace will generate Google Cloud Platform (GCP) projects in the background.

Google Cloud Service Accounts Security Best Practices

Sun, 08 Nov 2020 13:29:51 +0100

Service Accounts in Google Cloud Platform (GCP) are the main vector to hack an account: it’s easy to use them wrong and end up with a compromised key and a lot of headaches.

A Practical Introduction to Container Security

Sun, 01 Nov 2020 11:24:54 +0100

Securing containers is a complex task. The problem space is broad, vendors are on fire, there are tons of checklists and best practices and it’s hard to prioritize solutions. So if you had to implement a container security strategy where would you start?

Google Cloud IAM for Security Teams

Sun, 25 Oct 2020 13:40:43 +0100

Identity and Access Management (IAM) is an important piece of the cloud puzzle and it’s usually a source of headaches from a security point of view. Let’s try to give some pointers from a blue team perspective.

If you are a security team that just inherited a bunch of Google Cloud Platform (GCP) accounts, this guide is for you.

A Collection of Cloud Security Tools