Comment by scosman

The sandboxing options are set when you connect the MCP to the agent, not by the agent passing params about its own sandbox.

There’s a misconception about the right security boundary for agents. The agent code needs secrets (API keys, prompts, code) and the network (docs, other use cases). Wrapping the whole agent in a container puts secrets, network access, and arbitrary agent cli execution into the same host OS.

If you sandbox just the agent’s CLI access, then it’s can’t access its own API keys/code/host-OS/etc.