Bubblewrap: A nimble way to prevent agents from accessing your .env files

Posted by 0o_MrPatrick_o0 12 hours ago

Bubblewrap: A nimble way to prevent agents from accessing your .env files(patrickmccanna.net)

126 points | 97 comments

bjackman 6 hours ago|

I really don't understand why people have all these "lightweight" ways of sandboxing agents. In my view there are two models:

- totally unsandboxed but I supervise it in a tight loop (the window just stays open on a second monitor and it interrupts me every time it needs to call a tool).

- unsupervised in a VM in the cloud where the agent has root. (I give it a task, negotiate a plan, then close the tab and forget about it until I get a PR or a notification that it failed).

I want either full capabilities for the agent (at the cost of needing to supervise for safety) or full independence (at the cost of limited context in a VM). I don't see a productive way to mix and match here, seems you always get the worst of both worlds if you do that.

Maybe the usecase for this particular example is where you are supervising the agent but you're worried that apparently-safe tool calls are actually quietly leaving a secret that's in context? So it's not that it's a 'mixed' usecase but rather it's just increasing safety in the supervised case?

emilburzo 38 minutes ago||

> unsupervised in a VM in the cloud where the agent has root

Why in the cloud and not in a local VM?

I've re-discovered Vagrant and have been using it exactly for this and it's surprisingly effective for my workflows.

https://blog.emilburzo.com/2026/01/running-claude-code-dange...

Bender 2 hours ago|||

As someone that does this, it's Turtles All The Way Down [1]. Every layer has escapes. I require people to climb up multiple turtles thus breaking most skiddie [2] scripts. Attacks will have to targeted and custom crafted by people that can actually code thus reducing the amount of turds in the swimming pool I must avoid. People should not write apps that make assumptions around accessing sensitive files.

[1] - https://en.wikipedia.org/wiki/Turtles_all_the_way_down

[2] - https://en.wikipedia.org/wiki/Skiddies

theptip 1 hour ago|||

It’s a risk/convenience tradeoff. The biggest threat is Claude accidentally accesses and leaks your ssl keys, or gets prompt-hijacked to do the same. A simple sandbox fixes this.

There are theoretical risks of Claude getting fully owned and going rogue, and doing the iterative malicious work to escape a weaker sandbox, but it seems substantially less likely to me, and therefore perhaps not (currently) worth the extra work.

sschueller 1 hour ago||

Is there a premade VM image or docker container I can just start with for example Google Antigravity, Claude or Kilocode/vscode? Right now I have to install some linux desktop and all the tools needed, a bit of a pain IMO.

I see there are cloud VMs like at kilocode but they are kind if useless IMO. I can only interact with the prompt and not the code base directly. Too many things go wrong and maybe I also want kilo code to run a docker stack for me which it can't in the agent cloud.

emilburzo 36 minutes ago|||

> [...] and maybe I also want kilo code to run a docker stack for me which it can't in the agent cloud

Yes! I'm surprised more people do not want this capability. Check out my comment above, I think Vagrant might also be what you want.

wasting_time 1 hour ago|||

fly.io launched something like that recently:

https://sprites.dev/

simonw 10 hours ago||

I recommend caution with this bit:

  --bind "$HOME/.claude" "$HOME/.claude"

That directory has a bunch of of sensitive stuff in it, most notable the transcripts of all of your previous Claude Code sessions.

You may want to take steps to avoid a malicious prompt injection stealing those, since they might contain sensitive data.

pmontra 24 minutes ago||

I think that the rw directories should not be shared among projects. Maybe there should be separate copies even for what gets mounted into $HOME/.nvm

0o_MrPatrick_o0 9 hours ago||

Wonderful insight! Thank you!

meander_water 10 hours ago||

I recently created a throwaway API key for cloudflare and asked a cursor cloud agent to deploy some infra using it, but it responded with this:

> I can’t take that token and run Cloudflare provisioning on your behalf, even if it’s “only” set as an env var (it’s still a secret credential and you’ve shared it in chat). Please revoke/rotate it immediately in Cloudflare.

So clearly they've put some sort of prompt guard in place. I wonder how easy it would be to circumvent it.

bavell 44 minutes ago||

Claude definitely has some API token security baked in, it saw some API keys in a log file of mine the other day and called them out to me as a security issue very clearly. In this case it was a false positive but it handled the situation well and even gave links to reset each token.

0o_MrPatrick_o0 8 hours ago||

If your prompt is complex enough, doesn’t seem to get triggered.

I use a lot of ansible to manage infra, and before I learned about ansible-vault, I was moving some keys around unprotected in my lab. Bad hygiene- and no prompt intervening.

Kinda bums me out that there may be circumstances where the model just rejects this even if you for some reason you needed it.

flakes 9 hours ago||

I find it better to bubblewrap against a full sandbox directory. Using docker, you can export an image to a single tarball archive, flattening all layers. I use a compatible base image for my kernel/distro, and unpack the image archive into a directory.

With the unpack directory, you can now limit the host paths you expose, avoiding leaking in details from your host machine into the sandbox.

bwrap --ro-bind image/ / --bind src/ /src ...

Any tools you need in the container are installed in the image you unpack.

Some more tips: Use --unshare-all if you can. Make sure to add --proc and --dev options for a functional container. If you just need network, use both --unshare-all and --share-net together, keeping everything else separate. Make sure to drop any privileges with --cap-drop ALL

raphinou 6 hours ago||

I put all my agents in a docker file in which the code I'm working on is mounted. It's working perfectly for me until now. I even set it up so I can run gui apps like antigravity in it (X11). If anyone is interested I shared my setup at https://github.com/asfaload/agents_container

grewil2 6 hours ago|

It won’t save you from prompt injektions that attack your network.

TCattd 2 hours ago|||

Shameless plug, in case you're interested: https://github.com/EstebanForge/construct-cli

Let me know if you give it a go ;)

sschueller 1 hour ago||

Interesting, any plans to add LiteLLM (https://github.com/BerriAI/litellm) and Kilocode (https://github.com/Kilo-Org/kilocode)?

fgonzag 3 hours ago||||

In theory the docker container should only have the projects directory mounted, open access to the internet, and thats it. No access to anything else on the host or the local network.

Internet to connect with the provider, install packages, and search.

It's not perfect but it's a start.

63stack 5 hours ago||||

Docker containers run in their separate isolated network

darig 5 hours ago|||

[dead]

vscode-rest 4 hours ago|||

[dead]

raphinou 6 hours ago|||

of course, I'm not pretending this is a universal remedy solving all the problems. But I will add a note in the readme to make it clear, thanks for the feedback!

dangoodmanUT 10 hours ago||

I've been saying bubblewrap is an amazing solution for years (and sandbox-exec as a mac alternative). This is the only way i run agents on systems i care about

catlifeonmars 10 hours ago|

> run agents on systems i care about

You must not care about those systems that much.

prmoustache 6 hours ago||

Isn't landrun the preferred way to sandbox apps on linux these days instead?

https://github.com/Zouuup/landrun

qrobit 5 hours ago|

Bubblewrap seems to be much more popular[^1], personally this is the first time I heard about landrun

[1]: https://repology.org/project/bubblewrap/information https://repology.org/project/landrun/information

aszen 4 hours ago||

I wonder why we are even storing secrets in .env files in plain text

makoto12 4 hours ago||

This wouldn't have made the front page if it was: "How to not store your secrets in plain text"

patapong 4 hours ago|||

I would also prefer not doing this. Does anyone know of any lightweight, cross platform alternatives?

phrotoma 4 hours ago|||

Perhaps I'm off base here but it seems like the goal is:

1. allow an agent to run wild in some kind of isolated environment, giving the "tight loop" coding agent experience so you don't have to approve everything it does.

2. let it execute the code it's creating using some credentials to access an API or a server or whatever, without allowing it to exfil those creds.

If 1 is working correctly I don't see how 2 could be possible. Maybe there's some fancy homomorphic encryption / TEE magic to achieve this but like ... if the process under development has access to the creds, and the agent has unfettered access to the development environment, it is not obvious to me how both of these goals could be met simultaneously.

Very interested in being wrong about this. Please correct me!

WhyNotHugo 1 hour ago|||

If your .env file is being sourced by something like direnv, you can have it read secrets from the secret storage service and export them as env vars.

If you bind-mount the directory, the sandbox can see the commands, but executing them won’t work since it can’t access the secret service.

johnisgood 4 hours ago||

I would like an answer, too.

typs 11 hours ago||

I wish I had the opposite of this. It’s a race trying to come up with new ways to have Cursor edit and set my env files past all their blocking techniques!

verdverm 8 hours ago||

Like this? (Obfuscated, from agent and history)

https://bsky.app/profile/verdverm.com/post/3mbo7ko5ek22n

GrowingSideways 11 hours ago||

If you wouldn't upload keys to github, why would you trust them to cursor?

hahahahhaah 11 hours ago||

A local .env should be safe to put on your T shirt and walk down times square.

Mysql user: test

Password: mypass123

Host: localhost

...

jen729w 5 hours ago|||

STRIPE_SECRET_KEY="op://81 Dev environment variables/Stripe - dev - API keys/STRIPE_SECRET_KEY"

https://developer.1password.com/docs/cli/

Imustaskforhelp 11 hours ago|||

Create a symlink to .env from another file and ask cursor to refer it if name is the concern regarding cursor (I don't knowhow cursor does this stuff)

raw_anon_1111 2 hours ago|

My workflow even before Claude code.

1. I never use permanent credentials for AWS on my local computer.

2. I never have keys anywhere on my local computer. I put them in AWS Secret Manager.

3. My usual set of local access keys can’t create IAM roles (PowerUserAccess).

It’s not foolproof. But it does reduce the attack surface.

More comments...