Skip to content

gko/sandboxed

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

sandboxed

A simple, secure wrapper to run any command inside a macOS Seatbelt sandbox that only allows writes inside your current project directory.

Protect your machine when running untrusted scripts, package managers, or AI coding agents.

Demo

sandboxed protecting your machine

sandboxed rm -rf ~/test
# → Operation not permitted

Features

  • Project-scoped sandboxing — Writes are strictly limited to your current working directory
  • Network control — Block all network with --deny-network, or allow localhost only with --allow-localhost (useful for local LLMs like Ollama/llama.cpp)
  • Smart cache whitelisting — Works with npm, bun, cargo, uv, etc.
  • Safety guardrails — Refuses to sandbox dangerous paths

Why?

Running commands from the internet, AI agents, or build tools can accidentally (or maliciously) write outside your project. sandboxed gives you strong protection with almost zero friction.

Especially useful when working with:

  • AI coding agents (Claude Code, OpenCode, etc.)
  • Untrusted scripts or repositories
  • Package managers and build tools

Installation

One-liner

curl -fsSLo sandboxed https://raw.githubusercontent.com/gko/sandboxed/main/sandboxed.sh && \
chmod +x sandboxed && \
sudo mv sandboxed /usr/local/bin/

With zinit

zinit as"program" mv"sandboxed.sh -> sandboxed" pick"sandboxed" for gko/sandboxed

Note

If sandboxed is not found after installation, run zinit delete gko/sandboxed and restart your terminal.

Usage

sandboxed [options] <command> [args...]

Options:

  • --deny-network — Disable all network access
  • --allow-localhost — Allow localhost connections (only works together with --deny-network)

Examples

sandboxed bash                    # Drop into a sandboxed shell
sandboxed python script.py
sandboxed npm install
sandboxed cargo build
sandboxed rm -rf ~/test           # Blocked (outside current project)

With AI Coding Agents

sandboxed claude
sandboxed opencode

# Block network but allow local AI models (Ollama, llama.cpp, etc.)
sandboxed --deny-network --allow-localhost claude
sandboxed --deny-network --allow-localhost opencode

How it works

sandboxed generates a temporary Seatbelt profile that:

  • Allows reading files from anywhere on your system
  • Only allows writing inside your current project directory + whitelisted cache folders (npm, bun, cargo, uv, etc.)
  • Supports granular network control:
    • Default: Network is allowed
    • --deny-network: Blocks all network access
    • --deny-network --allow-localhost: Blocks network except local connections
  • Automatically cleans up after execution

Limitations

  • macOS only
  • Some tools may need additional cache paths whitelisted

License

This project is open source and available under the GPLv3 license.

About

Securely run any command inside a macOS Seatbelt sandbox limited to your current project directory.

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages