Skip to content
Security

Security

A sandbox is not a magic incantation you chant to make every security problem disappear. You should know what happens under the hood.

Picture the agent inside the sandbox: it runs as root. As a rule, even an agent gone rogue can’t break out of the sandbox, but it can read every file inside it. Assume the agent will read anything you pass in: the filesystem, process environment variables, and so on.

The sandbox needs to push and pull. If we uploaded your git SSH private key into it, the agent could read the key with one cat. ssh-agent bails us out with signature forwarding: the private key stays on your machine, and your local ssh-agent signs for the sandbox over the wire to authorize it. Compared with handing over the raw key, though, this has a downside: you have to stay connected to the sandbox to keep signing for it. That’s engineering. Much of the time you can’t have both security and convenience.

We upload one more secret into the sandbox: the key you use to call your model (for a ChatGPT subscription, that’s the access token in auth.json). Unfortunately, we haven’t found a good fix for this one.