Why do AI agents need sandboxing?

AI agents that execute tools, code, or access files run untrusted computation. A successful prompt injection or jailbreak can pivot through an unsandboxed agent to the host system. Sandboxing limits the blast radius to just the isolated container.

How do I sandbox a Moltbot agent in Docker?

Use: --read-only (read-only rootfs), --network=none (no network), --cap-drop=ALL (drop all capabilities), --user=65534 (non-root), --memory=512m (memory limit), timeout 30 (execution timeout). Start from this baseline and add back only what's absolutely needed.

Can a sandboxed AI agent still be useful?

Yes. Most LLM agent tasks (text processing, structured data extraction, API calls to allowlisted endpoints) work fine within a hardened sandbox. Grant specific capabilities per task type rather than running agents with broad access.

"Not a Pentest" Notice: These sandboxing techniques are for protecting your own infrastructure from your own AI agents. Defensive use only.

Moltbot AI Security

AI Agent Sandboxing & Isolation Best Practices 2026

AI agents that execute code, run tools, or access filesystems are running untrusted computation. A single successful prompt injection or jailbreak can pivot to your host system — unless you contain the blast radius. This guide gives you the exact isolation stack.

Isolation layers

Blast radius principles

10+

Container security flags

The Core Problem: Agents Execute Code

When your Moltbot agent runs a code interpreter, executes shell commands, or reads/writes files, it's executing untrusted computation on your infrastructure. If the agent is compromised via prompt injection, the attacker has whatever access the agent has. The only safe default: agents have no access until explicitly granted.

6 Isolation Layers

🔒

Process Isolation

Each agent run in its own process with no shared memory with other agents or the host system.

Docker containers with --pid=private, seccomp profiles, read-only rootfs

🌐

Network Isolation

Agents cannot initiate outbound network connections except to explicitly allowlisted endpoints.

Docker --network=none or custom network with strict egress rules via iptables

📁

Filesystem Isolation

Read-only root filesystem. Write access only to ephemeral temp directories that are wiped after each run.

--read-only flag + tmpfs mount for /tmp only

🔑

Capability Dropping

Drop ALL Linux capabilities. Add back only what is strictly needed (usually nothing for LLM agents).

--cap-drop=ALL --no-new-privileges

⚡

Resource Limits

Hard CPU, memory, and execution time limits. Agent cannot exhaust host resources or run indefinitely.

--memory=512m --cpus=0.5 + exec timeout of 30s

👤

User Namespace Isolation

Run agent as non-root user inside container. UID 65534 (nobody) with no capabilities.

--user=65534:65534

Hardened Docker Run Command

# Hardened agent container run command
docker run \
  --rm \                           # auto-remove after run
  --read-only \                    # read-only rootfs
  --tmpfs /tmp:noexec,nosuid,size=50m \  # limited writable tmp
  --network=none \                 # no network access
  --cap-drop=ALL \                 # drop all capabilities
  --no-new-privileges \           # prevent privilege escalation
  --user=65534:65534 \            # run as nobody
  --memory=512m \                  # max 512MB RAM
  --memory-swap=512m \            # no swap
  --cpus=0.5 \                    # max 50% of one CPU core
  --pids-limit=100 \              # max 100 processes
  --security-opt=no-new-privileges \
  --security-opt="seccomp=/etc/docker/seccomp-agent.json" \
  moltbot-agent:latest \
  timeout 30 node agent.js        # 30s hard timeout

Kubernetes Pod Security Policy

# Kubernetes PodSecurityContext for AI agents
apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 65534
    runAsGroup: 65534
    fsGroup: 65534
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: moltbot-agent
    image: moltbot-agent:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]
    resources:
      limits:
        memory: "512Mi"
        cpu: "500m"
        ephemeral-storage: "100Mi"
    volumeMounts:
    - name: tmp-dir
      mountPath: /tmp
  volumes:
  - name: tmp-dir
    emptyDir:
      sizeLimit: 50Mi

Blast Radius Limitation Principles

One agent, one task

Never run multiple user tasks in the same agent process. Agent contamination is real.

Short-lived agents

Spawn a fresh container per task. Kill and discard after 30s timeout. No persistent state between runs.

Minimal tool surface

Agents only get access to tools they need for the specific task. No global tool registry access.

Output validation gate

All agent outputs pass through a validation layer before any downstream action. Never auto-execute raw LLM output.

No credentials in agent context

Agents receive one-time capability tokens, never raw API keys or passwords.

Further Resources

Prompt Injection Defense

Input-layer attack prevention

Secure Agent Communication

mTLS & capability tokens

Docker Swarm Hardening

Production container security

AI Agent Security Hub

OWASP LLM Top 10 — full defense map