Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents

Posted by souvik1997 8 hours ago

Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents(github.com)

WASM sandbox for running LLM-generated code safely.

Agents get a bash-like shell and can only call tools you provide, with constraints you define. No Docker, no subprocess, no SaaS — just pip install amla-sandbox

97 points | 63 commentspage 2

tgtweak 3 hours ago|

is a wasm sandbox as secure as a container or vm?

souvik1997 3 hours ago||

If I had to rank these, in order of least to most secure, it would be container < VM < WASM.

WASM has:

- Bounds checked linear memory

- No system calls except what you explicitly grant via WASI

- Much smaller attack surface

VMs have:

- Hardware isolation, separate kernel

- May have hypervisor bugs leading to VM escape (rare in practice though)

Some problems with containers:

- Shared host kernel (kernel exploit = escape)

- Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it

- Larger attack surface (full syscall interface)

- Container escapes are a known class of vulnerability

PufPufPuf 3 hours ago||

In theory it's more secure. Containers and VMs run on real hardware, containers usually even on the real kernel (unless you use something like Kata). WASM doesn't have any system interface by default, you have full control over what it accesses. So it's similar to JVM for example.

messh 5 hours ago||

Docker and vms are not the only options though... you can use bubblewrap and other equivalents for mac

souvik1997 3 hours ago|

True. bubblewrap and similar (Landlock, sandbox-exec on Mac) are solid lightweight options. The main difference is they still expose a syscall interface that you then restrict, vs WASM where capabilities are opt-in from zero. Different starting points, similar goals.

Some advantages of building the sandbox in wasm, aside from the security benefits, are complete execution reproducibility. amla-sandbox controls all external side effects, leaving the wasm core as just "pure computation", which makes recording traces and replaying them very easy. It's great for debugging complex workflows.

benatkin 5 hours ago||

The readme exaggerates the threat of agents shelling out and glosses over a serious drawback of itself. On the shelling out side, it says "One prompt injection and you're done." Well, you can run a lot of these agents in a container, and I do. So maybe you're not "done". Also it's rare enough that this warning exaggerates - Claude Code has a yolo mode and outside of that, it has a pretty good permission system. On glossing over the drawback: "The WASM binary is proprietary—you can use it with this package but can't extract or redistribute it separately." And who is Amla Labs? FWIW the first commit is in 2026 and the license is in 2025.

souvik1997 5 hours ago|

Fair points.

On containers: yes, running in Docker/Firecracker works. The "one prompt injection and you’re done" framing is hyperbolic for containerized setups. The pitch is more relevant for people running agents in their local environment without isolation, or who want something lighter than spinning up containers per execution.

On the licensing: completely valid concern. We are a new company (just two cofounders right now) and the binary is closed for now only because we need to clean up the source code before releasing it as open-source. The Python SDK and capability layer are MIT.

I get that "trust us" isn’t compelling for a security product from an unknown entity, but since the Wasm binary runs within wasmtime (one of the most popular Wasm runtimes) and you can audit everything going in and out of it, the security story should hopefully be more palatable while we work on open sourcing the Wasm core.

The 2025/2026 date discrepancy is just me being sloppy with the license

turnsout 5 hours ago||

This is really awesome. I want to give my agent access to basic coding tools to do text manipulation, add up numbers, etc, but I want to keep a tight lid on it. This seems like a great way to add that functionality!

souvik1997 5 hours ago|

Thanks! That’s exactly the use case we built this for

behnamoh 5 hours ago||

> What you don't get: ...GPU access...

So no local models are supported.

souvik1997 5 hours ago|

The sandbox doesn’t run models. it runs agent-generated code and constrains tool calls. The model runs wherever you want (OpenAI, Anthropic, local Ollama, whatever).

muktharbuilds 5 hours ago||

thats great one i am definetly ussing this

westurner 8 hours ago||

From the README:

> Security model

> The sandbox runs inside WebAssembly with WASI for a minimal syscall interface. WASM provides memory isolation by design—linear memory is bounds-checked, and there's no way to escape to the host address space. The wasmtime runtime we use is built with defense-in-depth and has been formally verified for memory safety.

> On top of WASM isolation, every tool call goes through capability validation: [...]

> The design draws from capability-based security as implemented in systems like seL4—access is explicitly granted, not implicitly available. Agents don't get ambient authority just because they're running in your process.

westurner 8 hours ago|

From "Show HN: NPM install a WASM based Linux VM for your agents" re: https://github.com/deepclause/agentvm .. https://news.ycombinator.com/item?id=46686346 :

>> How to run vscode-container-wasm-gcc-example with c2w, with joelseverin/linux-wasm?

> linux-wasm is apparently faster than c2w.

container2wasm issue #550: https://github.com/container2wasm/container2wasm/issues/550#...

vscode-container-wasm-gcc-example : https://github.com/ktock/vscode-container-wasm-gcc-example

Cloudflare Runners also run WASM; with workerd:

cloudflare/workerd : https://github.com/cloudflare/workerd

...

"Cage" implements ARM64 MTE Memory Tagging Extensions support for WASM with LLVM emscripten iirc:

- "Cage: Hardware-Accelerated Safe WebAssembly" (2024) https://news.ycombinator.com/item?id=46151170 :

> [ llvm-memsafe-wasm , wasmtime-mte , ]

souvik1997 7 hours ago||

agentvm looks very cool! They are taking a different approach - full Linux VM emulated in WASM. It's very impressive technically.

We differentiate from agentvm by being lightweight (~11 MB Wasm binary, compared to 173 MB for agentvm). Though there is still a lot we can learn from agentvm, thank you for sharing their project.

schmuhblaster 7 hours ago||

Thank you! When I started working on agentvm my original goal was similar to yours, build a kind of Mingw or Cygwin for WASM. However, I quickly learned that this wouldn't really be feasible with reasonable amounts of time/token spend, mostly due to issues like having to find a way to make fork work, etc. I am no expert for WASM or Linux system programming, but it's been a lot of fun working on this stuff. I hope that the WASI standard and runtimes become more mature, as I feel that WASM sandboxes make a lot of sense in environments where containers are not an option.

souvik1997 6 hours ago|||

Thanks for sharing the context! The fork problem is gnarly. Makes sense that full Linux emulation was the path forward for your use case.

Agreed on WASI maturity. We're hoping the component model lands in a stable form soon. Would love to see the ecosystem converge so these approaches can interoperate.

syrusakbary 6 hours ago||||

Nice! Fork is actually already working on Wasmer thanks to WASIX :) (and sockets, subprocesses, ...).

Let me know if you need any help using it!

westurner 7 hours ago|||

"Rethinking Code Refinement: Learning to Judge Code Efficiency" https://news.ycombinator.com/item?id=42097656

eWASM has costed opcodes. The EVM virtual machine has not implemented eWASM.

Costed opcodes in WASM for agents could incentivize efficiency

re: wasm-bpf and eWASM and the BPF verifier: https://news.ycombinator.com/item?id=42092120

ewasm docs > Gas Costs > "Gas costs of individual instructions" https://ewasm.readthedocs.io/en/mkdocs/determining_wasm_gas_...

Browser tabs could show CPU, RAM, GPU utilization;

From "The Risks of WebAssembly" (2022) https://news.ycombinator.com/item?id=32765865 :

> Don't there need to be per- CPU/RAM/GPU quotas per WASM scope/tab? Or is preventing DOS with WASM out of scope for browsers?

> IIRC, it's possible to check resource utilization in e.g. a browser Task Manager, but there's no way to do `nice` or `docker --cpu-quota` or `systemd-nspawn --cpu-affinity` to prevent one or more WASM tabs from DOS'ing a workstation with non-costed operations.

Presumably workerd supports resource quotas somehow?

From 2024 re: Process isolation in browsers : https://news.ycombinator.com/item?id=40861851 :

> From "WebGPU is now available on Android" [...] (2022) :

>> What are some ideas for UI Visual Affordances to solve for bad UX due to slow browser tabs and extensions?

>> UBY: Browsers: Strobe the tab or extension button when it's beyond (configurable) resource usage thresholds

>> UBY: Browsers: Vary the {color, size, fill} of the tabs according to their relative resource utilization

taosu_yb 7 hours ago|

[dead]