HackerTrans
トップ新着トレンドコメント過去質問紹介求人

souvik1997

no profile record

投稿

Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents

github.com
146 ポイント·投稿者 souvik1997·5 か月前·73 コメント

コメント

souvik1997
·2 か月前·議論
What were the annoyances you faced?
souvik1997
·2 か月前·議論
Not sure what is the aversion to libc? The code only supports Intel macOS, seemingly because Apple Silicon (arm64) macOS does not support this.
souvik1997
·5 か月前·議論
Edera looks very cool! Awesome team too.

I read the thesis on arxiv. Do you see any limitations from using Xen instead of KVM? I think that was the biggest surprise for me as I have very rarely seen teams build on Xen.
souvik1997
·5 か月前·議論
Hey @clawsyndicate I'd love to learn more about your use case. We are working on a product that would potentially get you the best of both worlds (microVM security and containers/gVisor scalability). My email is in my profile.
souvik1997
·5 か月前·議論
This is a really interesting direction we have been exploring too! Our approach is basically to create a file containing the prompt for each turn within the virtual filesystem. The results seem promising so far
souvik1997
·5 か月前·議論
Yep, we got that sorted. Thanks for the suggestion! https://pypi.org/project/amla-sandbox/
souvik1997
·5 か月前·議論
True. bubblewrap and similar (Landlock, sandbox-exec on Mac) are solid lightweight options. The main difference is they still expose a syscall interface that you then restrict, vs WASM where capabilities are opt-in from zero. Different starting points, similar goals.

Some advantages of building the sandbox in wasm, aside from the security benefits, are complete execution reproducibility. amla-sandbox controls all external side effects, leaving the wasm core as just "pure computation", which makes recording traces and replaying them very easy. It's great for debugging complex workflows.
souvik1997
·5 か月前·議論
If I had to rank these, in order of least to most secure, it would be container < VM < WASM.

WASM has:

- Bounds checked linear memory

- No system calls except what you explicitly grant via WASI

- Much smaller attack surface

VMs have:

- Hardware isolation, separate kernel

- May have hypervisor bugs leading to VM escape (rare in practice though)

Some problems with containers:

- Shared host kernel (kernel exploit = escape)

- Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it

- Larger attack surface (full syscall interface)

- Container escapes are a known class of vulnerability
souvik1997
·5 か月前·議論
We will take a look! Thanks for sharing. Dynamic linking to run pydantic/numpy/etc. would be huge!
souvik1997
·5 か月前·議論
The opus 4.5 confession is great haha. We have found Claude Code + Opus 4.5 + Rust with miri/cargo-deny/cargo-check/cargo-fmt + Python with strict type checking/pedantic lint rules/comprehensive test suites to be a winning combination. It makes AI-assisted development surprisingly viable for systems work.

Good to see that you chose a similar path for networking in eryx!
souvik1997
·5 か月前·議論
Makes total sense. We'll prioritize getting the WASM source out. This is good signal that it matters. Will ping you when it's up!
souvik1997
·5 か月前·議論
The ecosystem layer is a hard but very important problem to solve. Right now we define tools in Python on the host side, but I see a clear path to WIT-defined components. The registry of portable tools is very compelling.

Will checkout asterai, thanks for sharing!
souvik1997
·5 か月前·議論
Thanks Simon! Denobox looks very cool: Deno's permissions model is a natural fit for this.

On the licensing: totally fair point. Our intention is to open source the WASM too. The binary is closed for now only because we need to clean up the source code before releasing it as open-source. The Python SDK and capability layer are MIT. We wanted to ship something usable now rather than wait. Since the wasm binary runs in wasmtime within an open source harness, it is possible to audit everything going in and out of the wasm blob for security.

Genuinely open to feedback on this. If the split license is a blocker for your use cases, that's useful signal for us.
souvik1997
·5 か月前·議論
Fair points.

On containers: yes, running in Docker/Firecracker works. The "one prompt injection and you’re done" framing is hyperbolic for containerized setups. The pitch is more relevant for people running agents in their local environment without isolation, or who want something lighter than spinning up containers per execution.

On the licensing: completely valid concern. We are a new company (just two cofounders right now) and the binary is closed for now only because we need to clean up the source code before releasing it as open-source. The Python SDK and capability layer are MIT.

I get that "trust us" isn’t compelling for a security product from an unknown entity, but since the Wasm binary runs within wasmtime (one of the most popular Wasm runtimes) and you can audit everything going in and out of it, the security story should hopefully be more palatable while we work on open sourcing the Wasm core.

The 2025/2026 date discrepancy is just me being sloppy with the license
souvik1997
·5 か月前·議論
Thanks! That’s exactly the use case we built this for
souvik1997
·5 か月前·議論
The sandbox doesn’t run models. it runs agent-generated code and constrains tool calls. The model runs wherever you want (OpenAI, Anthropic, local Ollama, whatever).
souvik1997
·5 か月前·議論
Interesting! What use cases felt too constrained? We've been mostly focused on "agent calls tools with parameters". Curious where you hit flexibility limits.

Would love to see your MCP approach if you've published it anywhere.
souvik1997
·5 か月前·議論
Thanks for sharing localsandbox! sqlite-backed VFS for fork and resume workflows is very interesting.
souvik1997
·5 か月前·議論
Great question. We cheated a bit; we didn't compile the GNU coreutils to wasm. Instead, we have Rust reimplementations of common shell commands. It allows us to focus on the use cases agents actually care about instead of reimplementing all of the corner cases exactly.

For `jq` specifically we use the excellent `jaq_interpret` crate: https://crates.io/crates/jaq-interpret

curl is interesting. We don't include it currently but we could do it without too much additional effort.

Networking isn't done within the wasm sandbox; we "yield" back to the the caller using what we call "host operations" in order to perform any IO. This keeps the Wasm sandbox minimal and as close to "pure compute" as possible. In fact, the only capabilities we give the WASI runtime is a method to get the current time and to generate random numbers. Since we intercept all external IO, random number generation, time, and the Wasm runtime is just for pure computation, we also get perfect reproducibility. We can replay anything within the sandbox exactly.

Your approach with brush is interesting. Having actual bash semantics rather than "bash-like" is a real advantage for complex scripts. The dynamic linking problem for subcommands is a tough one; have you looked at WASI components for this? Feels like that's where it'll eventually land but the tooling isn't there yet.

Will check out eryx and conch. Thanks for sharing!
souvik1997
·5 か月前·議論
Thanks for sharing the context! The fork problem is gnarly. Makes sense that full Linux emulation was the path forward for your use case.

Agreed on WASI maturity. We're hoping the component model lands in a stable form soon. Would love to see the ecosystem converge so these approaches can interoperate.