Comment by scosman
2 days ago
Shell over MCP, with multiple options for sandbox. Includes Docker, Podman, Modal, E2B, and WASM:
https://github.com/Kiln-AI/Kilntainers
Can run anything from a busybox in WASM to a full cloud VM. Agent just sees a shell.
This seems to be billed as a MCP server for making sandbox containers... right? Doesn't this kind of miss the whole point?
"Make me a sandbox for yourself! Make sure its really secure!"
The sandboxing options are set when you connect the MCP to the agent, not by the agent passing params about its own sandbox.
There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.
If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.