Comment by benatkin
6 hours ago
The readme exaggerates the threat of agents shelling out and glosses over a serious drawback of itself. On the shelling out side, it says "One prompt injection and you're done." Well, you can run a lot of these agents in a container, and I do. So maybe you're not "done". Also it's rare enough that this warning exaggerates - Claude Code has a yolo mode and outside of that, it has a pretty good permission system. On glossing over the drawback: "The WASM binary is proprietary—you can use it with this package but can't extract or redistribute it separately." And who is Amla Labs? FWIW the first commit is in 2026 and the license is in 2025.
Fair points.
On containers: yes, running in Docker/Firecracker works. The "one prompt injection and you’re done" framing is hyperbolic for containerized setups. The pitch is more relevant for people running agents in their local environment without isolation, or who want something lighter than spinning up containers per execution.
On the licensing: completely valid concern. We are a new company (just two cofounders right now) and the binary is closed for now only because we need to clean up the source code before releasing it as open-source. The Python SDK and capability layer are MIT.
I get that "trust us" isn’t compelling for a security product from an unknown entity, but since the Wasm binary runs within wasmtime (one of the most popular Wasm runtimes) and you can audit everything going in and out of it, the security story should hopefully be more palatable while we work on open sourcing the Wasm core.
The 2025/2026 date discrepancy is just me being sloppy with the license