alt Hacker NewsIt never ceases to scare me how they just run python code I didn't write via:
> python <<'EOF'
> ${code the agent wrote on the spot}
> EOF
I mean, yeah, in theory it's just as dangerous as running arbitrary shell commands, which the agent is already doing anyway, but still...
The good news is that some of these harnesses (like Codex) use sandboxing. The bad news is that they're too inflexible to be effective.
By default these shell commands don't have network access or write access outside the project directory which is good, but nowhere near customizable enough. Once you approve a command because it needs network access, its other restrictions are lifted too. It's all or nothing.