Comment by catlifeonmars
3 days ago
Containers are not a robust way to isolate untrusted programs. A lightweight VM is probably the best balance between usability and security.
They are effective at fostering a false sense of security though.
3 days ago
Containers are not a robust way to isolate untrusted programs. A lightweight VM is probably the best balance between usability and security.
They are effective at fostering a false sense of security though.
It depends what your threat model is and where the container lives. For example, k8s can go a long way towards sandboxing, even though it's not based on VMs.
The threat with AI agents exists at a fairly high level of abstraction, and developing with them assumes a baseline level of good intentions. You're protecting against mistakes, confusion, and prompt injection. For that, your threat mitigation strategy should be focused on high-level containment.
I've been working on something in a similar vein to yolobox, but the isolation goal has more to do with secret exfiltration and blast radius. I'd love some feedback if you have a chance!
https://github.com/borenstein/yolo-cage
What specifically are you concerned about when running an LLM agent in a container versus a VM.
Assuming a standard Docker/Podman container with just the project directory mounted inside it, what vectors are you expecting the LLM to use to break out?
From “How it works” in the readme:
> yolobox uses container isolation (Docker or Podman) as its security boundary…
I have no issue with running agents in containers FWIW, just in framing it as a security feature.
> what vectors are you expecting the LLM to use to break out?
You can just search for “Docker CVE”.
Here is one later last year, just for an example: https://nvd.nist.gov/vuln/detail/CVE-2025-9074
Everything has CVEs, you can find CVEs in VM hypervisors if you like (the one you linked is in Docker Desktop, not Docker engine which is what this project uses).
There are valid criticisms of Docker/Podman isolation but it's not a binary "secure/not secure" thing, and honestly in this use case I don't see a major difference, apart from it being easier for a user to weaken the isolation provided by the container engine.
Docker/Podman security is essentially Linux security, it just uses namespaces+cgroups+capabilities+apparmor/SELinux+seccomp filters. There's a larger attack surface for kernel vulns when compared to VM hypervisors, but I've not heard of an LLM trying to break out by 0-day'ing the Linux kernel as yet :)
1 reply →
Well if you’re running docker on MacOS it’s running in a VM.
True, but so are all your other containers.