Running AI coding agents locally on your machine offers great power but introduces significant security risks. An agent could inadvertently modify or delete files outside of the project directory, or it could be exploited via network access to exfiltrate sensitive data. While some tools offer built-in safeguards, these are not always available or sufficient. A more universal and robust method for mitigating these risks is to run the agent within a sandboxed cloud development environment.

Comparing Mitigation Strategies

It’s useful to understand the trade-offs between different safety measures.

Running an agent with no sandbox offers no protection; the agent operates with the same permissions as your user account, with full access to your files and network.

At the other end of the spectrum, some tools like the Codex CLI provide granular, built-in controls. Modes like read-only can completely restrict file system writes and disable network access, prompting you for approval for any action that crosses these boundaries. This approach is highly effective for both file system and network protection, but its main drawback is its low universality — the protection is tied to that specific tool. If you use a different agent or a VS Code extension, you need another solution.

This is where a general-purpose sandbox shines. It provides a secure environment that can run any agent, regardless of its built-in features.

The Universal Sandbox: GitHub Codespaces

GitHub Codespaces provides an excellent, on-demand sandbox. It works by launching your repository inside a dedicated, isolated container in the cloud. This architecture creates a definitive barrier between the AI agent’s execution environment and your local computer’s file system.

The primary benefit is complete file system isolation. The agent is effectively “jailed” within the container and can only access the files checked into your repository. It has no visibility of or access to your local drives, ensuring your personal files and system configuration remain untouched.

You can interact with your sandboxed environment in several ways, catering to different workflows:

1. VS Code in the Browser: The default method, offering a full-featured IDE for quick access without any local setup.

2. VS Code Desktop: For a more familiar experience, you can connect your local VS Code application directly to the remote Codespace. The code execution and terminal remain securely in the cloud.

3. Direct SSH Access: For command-line agents, this is often the most convenient option. Using the GitHub CLI, the command gh cs ssh gives you a standard terminal session inside the container, allowing you to run any CLI tool securely.

Persistent Risks and Best Practices

While this technique provides a robust solution for file system threats, it is crucial to understand that network risks remain. A Codespace offers high universality and strong file system protection, but it provides no inherent network protection. An agent running inside it with network permissions can still send and receive data. If your repository contains secrets — such as API keys checked into version control — a compromised agent could still exfiltrate them.

Therefore, a Codespace sandbox should be seen as one powerful layer in a multi-layered security approach. It provides peace of mind regarding your local file system, but you must still be vigilant about network activity and practice good secret management.