Agent Safehouse – macOS-native sandboxing for local agents
Open-source tool blocks AI agents from accessing SSH keys, AWS credentials, and other repos with kernel enforcement.
Agent Safehouse, developed by Eugene1g, introduces macOS-native sandboxing specifically designed for local AI coding agents. The tool addresses a critical security gap: while LLMs are probabilistic systems with inherent error rates, even a 1% chance of a catastrophic command like 'rm -rf ~' makes data loss inevitable over time. Safehouse solves this by leveraging macOS's built-in sandbox-exec functionality to create secure containers where agents like Claude Code, Cursor, Aider, and Gemini CLI can operate safely.
The implementation uses a deny-first access model that flips traditional Unix permissions. Instead of agents inheriting your full user permissions, Safehouse starts with everything denied and only grants access to explicitly approved directories. By default, agents get read/write access to your current project directory (detected via git root) and read access to installed toolchains, while sensitive areas like ~/.ssh, ~/.aws, and other repositories remain completely inaccessible. The kernel enforces these restrictions at the syscall level, blocking unauthorized operations before any file is touched.
Setup is remarkably simple—just a single shell script with no dependencies. Users download the script, make it executable, and run their agents inside it. The tool also supports shell function integration that automatically sandboxes every agent run, requiring users to explicitly use 'command agent-name' to bypass protection. For advanced users, Safehouse includes prompts for generating custom sandbox profiles using LLMs themselves, creating a feedback loop where AI helps configure its own security boundaries.
Compatibility testing shows all leading agents work perfectly within their sandboxes while being unable to impact anything outside. The approach represents a pragmatic security layer for the growing ecosystem of local AI coding assistants, allowing developers to 'move fast and break nothing' by containing potential agent errors within safe boundaries.
- Kernel-level enforcement blocks unauthorized syscalls before file access, preventing commands like 'rm -rf ~'
- Deny-first model grants access only to current project directory and toolchains, blocking ~/.ssh, ~/.aws by default
- Single script installation with shell function integration automatically sandboxes all agent runs
Why It Matters
Enables safe experimentation with local AI agents by containing their potentially destructive actions while maintaining full functionality for legitimate coding tasks.