One of the engineers behind Manus shared a bunch of interesting tips about building agents. Above all: you don’t need specialized tools, just one run(command="...") to run cli tools whose interfaces are usually familiar to the underlying model.

The agentic risks are mitigated by running some of those commands inside BoxLite containers (microvms).

Most commands never touch the OS. cat, grep, memory search, browser open — these look like shell commands but they’re implemented as a Go command router. The LLM outputs a string, I parse it and dispatch to native functions. No os/exec, no shell injection surface. It’s essentially typed functions wearing CLI syntax — same access control, but the LLM gets a familiar interface.

When you do need real OS execution (e.g. running a Python script or installing packages), it runs inside a micro-VM — an isolated QCOW2 virtual machine with its own filesystem. The agent can do whatever it wants inside the sandbox. It can rm -rf / and nothing happens to the host. Sandbox isolation > command filtering.

So some command are emulated, real ones run in the sandbox. Why bother and not running directly everything in the sandbox?

Running commands as native functions (e.g. a Go router) gives you lower latency and zero VM overhead — for many use cases that’s already enough, no VM needed at all.

Fair? It’s an interesting implementation of the paradigm “sandbox the tools” driven by performance reason. But the security model holds because the agent harness is custom fixed on these two kind of capabilities and it’s not an operating model directly portable to other off-the-shelves harness.