Show HN: yolo-cage – AI coding agents that can't exfiltrate secrets (github.com)
Backstory: I've been using many agents in parallel as I work on a somewhat ambitious financial analysis tool. I was juggling agents working on epics for the linear solver, the persistence layer, the front-end, and planning for the second-generation solver. I was losing my mind playing whack-a-mole with the permission prompts. YOLO mode felt so tempting. And yet.
Then it occurred to me: what if YOLO mode isn't so bad? Decision fatigue is a thing. If I could cap the blast radius of a confused agent, maybe I could just review once. Wouldn't that be safer?
So that day, while my kids were taking a nap, I decided to see if I could put YOLO-mode Claude inside a sandbox that blocks exfiltration and regulates git access. The result is yolo-cage.
Also: the AI wrote its own containment system from inside the system's own prototype. Which is either very aligned or very meta, depending on how you look at it.
22 comments
[ 3.2 ms ] story [ 40.6 ms ] threadAnd adding the fact that you used AI to write the supposed containment system, I'm really not seeing the safety benefits here.
The docs also seem very AI-generated (see below). What part did you yourself play in actually putting this together? How can you be sure that filtering a few specific (listed) commands will actually give any sort of safety guarantees?
https://github.com/borenstein/yolo-cage/blob/main/docs/archi...
- Think codesandbox, how much time does it take for a VM here to boot?
- How safe do you think this solution would be to let users execute untrusted code inside while being able to pip install and npm install all sorts of libraries and
- how do you deploy this inside AWS Lambda/Fargate for the same usecase?
If you want to build some greenfield auxiliary tools fine, agents make sense but I find that even gemini's webui has gotten good enough to create multiple files instead of putting everything in one file.
This way I also dont get locked in to any provider
The exfiltration controls are interesting. Have you thought about extending this to rate limiting and cost controls as well? We've been working on similar problems at keypost.ai - deterministic policy enforcement for MCP tool calls (rate limits, access control, cost caps).
One thing we've found is that the enforcement layer needs to be in-path rather than advisory - agents can be creative about working around soft limits. Curious how you're handling the boundary between "blocked" and "allowed but logged"?
Great work shipping this - the agent security space needs more practical tools.
Of course the question comes because we always lack tokens and have to dance around many providers.
It looks like secret scanning is outsourced by the proxy to LLM-Guard right now, which is configured here: https://github.com/borenstein/yolo-cage/blob/d235fd70cb8c2b4...
Here's the LLM Guard image it uses: https://hub.docker.com/r/laiyer/llm-guard-api - which is this project on GitHub (laiyer renamed to protectai): https://github.com/protectai/llm-guard
Since this only uses the "secrets" mechanism in LLM Guard I suggest ditching that dependency entirely, it uses LLM Guard as a pretty expensive wrapper around some regular expressions.
The only Yolo I know about is an object detection model :/
I think a lot of this current sandboxing interest is coming from a break in assumptions. Traditional security mostly assumed a human was driving. Actions are chained together slowly and there’s time to notice and intervene. Agents have root access/tons of privilege but they execute at machine speed. The controls (firewalls/IAM) all still “work,” but the thing they were implicitly relying on (human judgment + hesitation) isn’t there anymore.
Since that assumption went away, we're all looking for ways to contain this risk + limiting what can happen if the coding agent does something unintended. Seeing a lot of people turn toward containers, VMs, and other variants of them for this.
Full disclosure: I’m at Docker. We’ve seen a lot of developers immediately reach for Docker as a quick way to fence agents in. This pushed us to build Docker Sandboxes, specifically for coding agents. It’s early, and we’re iterating, including moving toward microVM-based isolation and network access controls soon (update within weeks).
https://github.com/jgbrwn/vibebin
Cordum.io