logo of Akmatori
GitHub
Skip to main content
09.03.2026

Agent Safehouse: Kernel-Level Sandboxing for AI Agents on macOS

head-image

AI coding agents like Claude Code, Codex CLI, and Gemini CLI can dramatically accelerate development. But they also run with your full user permissions. One hallucination, one prompt injection, one bad decision and rm -rf ~ is just a probability away. Agent Safehouse solves this with macOS-native sandboxing that blocks access at the kernel level.

What is Agent Safehouse?

Agent Safehouse is a single Bash script that wraps any CLI agent in a macOS sandbox profile. It uses the native sandbox-exec facility to enforce a deny-first access model. Unlike container-based isolation, this approach requires zero dependencies and works with existing toolchains.

The key insight: agents inherit your full permissions by default. Safehouse flips this model. Nothing is accessible unless explicitly granted.

Key Features

  • Deny-first security model: Home directory, SSH keys, AWS credentials, and other repos are blocked by default
  • Zero dependencies: Single shell script using native macOS sandbox-exec
  • Automatic workdir detection: Grants read/write to current project (git root by default)
  • Toolchain awareness: Read access to installed compilers, runtimes, and package managers
  • Universal agent support: Works with Claude Code, Codex CLI, Gemini CLI, Amp, and any other CLI tool

Installation

Download the script and make it executable:

mkdir -p ~/.local/bin
curl -fsSL https://raw.githubusercontent.com/eugene1g/agent-safehouse/main/dist/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

Add ~/.local/bin to your PATH if needed.

Usage

Run any agent inside the sandbox:

cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions

Test the sandbox by trying to access sensitive files:

# This fails - kernel blocks access
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permitted

# This works - current project is allowed
safehouse ls .
# README.md src/ package.json ...

Operational Tips

Add shell functions to sandbox agents by default:

# ~/.zshrc
safe() { safehouse --add-dirs-ro=~/work "$@"; }
claude() { safe claude --dangerously-skip-permissions "$@"; }
codex() { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }

To bypass the sandbox temporarily, use command claude to skip the shell function.

Conclusion

As AI agents gain more autonomy, sandboxing becomes essential. Agent Safehouse provides kernel-level protection with zero friction. It lets you run agents in "YOLO mode" without risking your credentials or other projects.

For teams managing AI agent infrastructure at scale, Akmatori provides comprehensive observability and governance. Powered by Gcore infrastructure for global reliability.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free