Skip to main content

Tool sandboxing

Engineering practice

Running model-invoked tools in restricted environments—limited filesystem, network, secrets, and syscalls—to contain blast radius.

When function calling or MCP servers can reach production systems, sandboxing is how you keep mistakes or prompt injections from becoming incidents. Pair sandboxes with allowlists, rate limits, and human-in-the-loop for dangerous operations.

Design goal

Assume the model will eventually issue a bad tool call; containment should still be boring.