A simple, secure wrapper to run any command inside a macOS Seatbelt sandbox that only allows writes inside your current project directory.
Protect your machine when running untrusted scripts, package managers, or AI coding agents.
sandboxed rm -rf ~/test
# → Operation not permitted- Project-scoped sandboxing — Writes are strictly limited to your current working directory
- Network control — Block all network with
--deny-network, or allow localhost only with--allow-localhost(useful for local LLMs like Ollama/llama.cpp) - Smart cache whitelisting — Works with npm, bun, cargo, uv, etc.
- Safety guardrails — Refuses to sandbox dangerous paths
Running commands from the internet, AI agents, or build tools can accidentally (or maliciously) write outside your project. sandboxed gives you strong protection with almost zero friction.
Especially useful when working with:
- AI coding agents (Claude Code, OpenCode, etc.)
- Untrusted scripts or repositories
- Package managers and build tools
curl -fsSLo sandboxed https://raw.githubusercontent.com/gko/sandboxed/main/sandboxed.sh && \
chmod +x sandboxed && \
sudo mv sandboxed /usr/local/bin/With zinit
zinit as"program" mv"sandboxed.sh -> sandboxed" pick"sandboxed" for gko/sandboxedNote
If sandboxed is not found after installation, run zinit delete gko/sandboxed and restart your terminal.
sandboxed [options] <command> [args...]Options:
--deny-network— Disable all network access--allow-localhost— Allow localhost connections (only works together with--deny-network)
sandboxed bash # Drop into a sandboxed shell
sandboxed python script.py
sandboxed npm install
sandboxed cargo build
sandboxed rm -rf ~/test # Blocked (outside current project)sandboxed claude
sandboxed opencode
# Block network but allow local AI models (Ollama, llama.cpp, etc.)
sandboxed --deny-network --allow-localhost claude
sandboxed --deny-network --allow-localhost opencodesandboxed generates a temporary Seatbelt profile that:
- Allows reading files from anywhere on your system
- Only allows writing inside your current project directory + whitelisted cache folders (npm, bun, cargo, uv, etc.)
- Supports granular network control:
- Default: Network is allowed
--deny-network: Blocks all network access--deny-network --allow-localhost: Blocks network except local connections
- Automatically cleans up after execution
- macOS only
- Some tools may need additional cache paths whitelisted
This project is open source and available under the GPLv3 license.
