Note that you don't need to use Deno or JavaScript at all to use this product. Here's their Python client SDK: https://pypi.org/project/deno-sandbox/

  from deno_sandbox import DenoDeploy
  
  sdk = DenoDeploy()
  
  with sdk.sandbox.create() as sb:
      # Run a shell command
      process = sb.spawn("echo", args=["Hello from the sandbox!"])
      process.wait()
  
      # Write and read files
      sb.fs.write_text_file("/tmp/example.txt", "Hello, World!")
      content = sb.fs.read_text_file("/tmp/example.txt")
      print(content)

Looks like the API protocol itself uses websockets: https://tools.simonwillison.net/zip-wheel-explorer?package=d...

> In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder

> The real key materializes only when the sandbox makes an outbound request to an approved host. If prompt-injected code tries to exfiltrate that placeholder to evil.com? Useless.

That seems clever.

"Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access.

This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration.

Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding."

I am so confused at how this is supposed to work. If the code, running in whatever language, does any sort of transform with the key that it thinks it has, doesnt this break? E.g. OAuth 1 signatures, JWTs, HMACs...

Now that I think further, doesnt this also potentially break HTTP semantics? E.g. if the key is part of the payload, then a data.replace(fake_key, real_key) can change the Content Length without actually updating the Content-Length header, right?

Lastly, this still doesnt protect you from other sorts of malicious attacks (e.g. 'DROP TABLE Users;')...Right? This seems like a mitigation, but hardly enough to feel comfortable giving an LLM direct access to prod, no?

It's always the exorbitant price with such offerings.

A 2 vCPU, 4GB Ram and 40GB Disk instance on Hetzner cost 4.13 USD.

The same here is:

$127.72 without pro plan, and $108.72 with pro plan.

This means to break even, I can only use this for 4.13/127.72*730 = 23.6 hours every month, or, less than an hour daily.

Fun! Our work from 10 years ago introduced the secrets protection technique being used in Deno: https://www.earlence.com/assets/papers/flowfence_sec16.pdf and fly's tokenizer. We called it "opaque computation" and it did a lot more than secrets protection.

The free plan makes me want to use it like Glitch. But every free service like this ever has been burned...

>Deno Sandbox gives you lightweight Linux microVMs (running in the Deno Deploy cloud)

The real question is can the microVMs run in just plain old linux, self-hosted.

Not mentioned, but something I would like/expect would be to have some kind of editor integration... VS Code remote extensions, as an example even... You can be in a remote code server with your local editor and terminal tab(s) within said editor on the remote system.

I realize this is using other interactions, but I'd like a bit more observability than just the isolated environment... I'm not even saying VS Code specifically, but something similar at the least.

Not sure if anyone from the deno team is monitoring this forum, but I was trying to stand up a dev-base snapshot and pretty quickly ran into a wall. Is it not currently possible to create a bootable volume from the CLI? https://docs.deno.com/sandbox/volumes/#creating-a-snapshot has an example for the js API, but the CLI equivalent isn't specifying --from and the latest verson of the deno CLI installed fresh from deno.land has no --from option. Is the CLI behind, here? Or is the argument provided some other way?

Secret placeholders seems like a good design decision.

So many sandbox products these days though. What are people using in production and what should one know about this space? There's Modal, Daytona, Fly, Cloudflare, Deno, etc

Looks promising. Any plans for a version that runs locally/self-host able?

Looks like the main innovation here is linking outbound traffic to a host with dynamic variables - could that be added to deno itself?

What happens if we use Claude Pro or Max plans on them ? It’ll always be a different IP connecting and we might get banned from Anthropic as they think we’re different users

Why limit the lifetime on 30 mins ?

Very interesting. Might copy it.

We recently built our own sandbox environment backed by firecracker and go. It works great.

For data residency, i.e. making sure the service is EU bound, there is basically no other way. We can move the service anywhere we can get hardware virtualisation.

As for the situation with credentials, our method is to generate CLIs on the fly and expose them to the LLMs and then they can shell script them whichever way they want. The CLIs only contain scoped credentials to our API which handles oauth and other forms of authentication transparently. The agent does not need to know anything about this. All they know is that they can do

$ some-skillset search-gmail-messages -q "emails from Adrian"

In our own experiments we find that this approach works better and it just makes sense given most of the latest models are trained as coding assistants. They just love bash, so give them the tools.

> allowNet: ["api.openai.com", "*.anthropic.com"],

How to know what domains to allow? The agent behavior is not predefined.

See also Sprites (https://news.ycombinator.com/item?id=46557825) which I've been using and really enjoying. There are some key architecture differences between the two, but very similar surface area. It'll be interesting to see if ephemeral + snapshots can be as convenient as stateful with cloning/forking (which hasn't actually dropped yet, although the fly team say it's coming).

Will give these a try. These are exciting times, it's never been a better time to build side projects :)

This sandboxing solution list is getting long... created https://github.com/arjan/awesome-agent-sandboxes, PRs welcome :)

I just run a local microVM. I built a small CLI that wraps lima to make my life easier. With a few commands I have a VM running locally with all batteries included (CC/Codex, ssh, packages I need, ...). With this I'm not saying Deno or Docker sandboxes are useless.

Never used Deno before, and searching through docs and their GitHub still leaves me with questions:

Can you configure Demo Sandbox to run on a self hosted installation of Deno Deploy (deployd), or is this a SaaS only offering?

If you can create a deno sandbox from a deno sandbox, you could create an almost unkillable service that jumps from one sandbox to the next. Very handy for malicious purposes. ;-)

Just an idea…

Love their network filtering, however it definitely lacks some capabilities (like the ability to do direct TCP connections to Postgres, or direct IP connections.

Those limitations from other tools was exactly why I made https://github.com/danthegoodman1/netfence for our agents

Where's the real value for devs in something like this? Hasn't everyone already built this for themselves in the past 2 years? I'm not trying to sound cheeky or poo poo the product, just surprised if this is a thing. I can never read what's useful by gut anymore, I guess.

If you achieve arbitrary code execution in the sandbox, I think you could pretty easily exfiltrate the openai key by using the openai code interpreter, and asking it to send the key to a url of your choice.

50/200 Gb free plus $0.5 / Gb out egress data seems expensive when scaling out.

Ignoring the fact that most of the blog post is written by an LLM, I like that they provide a python sdk. I dont believe vercel does for their sandbox product.

Firecrackervm with proxy?

Can this be used on iOS somehow? I am building a Swift app where this would be very useful but last time I checked I don't think it was possible.

> evil.com

That website does exist. It may hurt your eyes.

As a bit of an aside, I've gotten back into deno after seeing bun get bought out by an AI company.

I really like it. Startup times are now better than node (if not as good as bun). And being able to put your whole "project" in a single file that grabs dependencies from URLs reduces friction a surprising amount compared to having to have a whole directory with package.json, package-lock.json, etc.

It's basically my "need to whip up a small thing" environment of choice now.

Can it be used to sandbox an AI agent, like replacing eg Cursor or Openclaw sandboxing system?

What's with the pricing of these sandbox offerings recently? I assume just trying to milk the AI trend.

It's about 10x what a normal VM would cost at a more affordable hoster. So you better have it run only 10% of the time or you're just paying more for something more constrained.

A full month of runtime would be about $50 bucks for a 2vCPU 1GB RAM 10GB SSD mini-VM that you can get easily for $5 elsewhere.

We already have a pretty good sandbox in our platform: https://github.com/Qbix/Platform/blob/main/platform/plugins/...

It uses web workers on a web browser. So is this Deno Sandbox like that, but for server? I think Node has worker threads.

Now I see why he was on twitter saying that the era of coding is over and hyping up LLMs, to sell more shovels...