logoalt Hacker News

HarHarVeryFunnyyesterday at 7:54 PM8 repliesview on HN

Not specific to OpenAI / Codex, but I'm curious what people are doing to protect themselves from any destructive actions by their coding agents? Just install and pray? Explicity approve all actions? Reconfigure for safety? Run in a sandbox (Docker) ?


Replies

cyberpunkyesterday at 10:58 PM

I run codex in a dedicated vm, I have a cronjob which resets it to clean installed state every week. Nothing too fancy just bhyve and debian, 8gb mem. It has root access there, can install stuff, no permissions to push to protected branches etc. It didn't take very long to setup, and I can sleep a bit better...

kennykartmanyesterday at 8:10 PM

Typically I just want to isolate the agent disallowing it from accessing other parts of the filesystem. Using a different user might be enough, but I typically use [bubblewrap](https://github.com/containers/bubblewrap).

gorgmahyesterday at 8:40 PM

I live in fear lol.

More seriously, I was blindly trusting the auto-classifier from claude code (same as the middle option when you do `/permissions` in codex), and it actually allowed the agent to do pretty hardcore `rm` and `git push --force-with-lease` commands, which I would have expected to have to approve manually. Luckily no major issue from those yet.

The best option imo is the integrated cloud environments from claude code (not sure yet if there's a codex equivalent). It spawns a VM in the cloud where the agent runs, and you can open a PR from the app when it's done. Very smooth experience

show 1 reply
user43928yesterday at 8:18 PM

I use the auto-reviewer for actions outside the builtin sandbox.

So far this has been rock solid, and tens of millions of developers use this setup without issue.

It is not going to wipe our hard disks. At least I hope so. Fable and GPT 5.6 have been ever more proactive, and GPT 5.6 is automating the AppStore on my machine to download an Xcode update while I am typing this.

show 1 reply
ryan_nyesterday at 7:56 PM

I still just explicitly approve all actions and review all code (unless it's a personal/throwaway project no one else will ever touch/use/see). I know a lot of people that run in a sandbox though. That said, I'm sure there are lots of people that just yolo it and hope for the best.

jrfloyesterday at 8:29 PM

What destructive actions are you afraid of in particular? Honestly the models are pretty smart, I let the agents go --yolo and nothing bad has ever happened (yet) that couldn't be solved with git.

show 1 reply
RhodesianHunteryesterday at 8:34 PM

Don't let it outside the sandbox. Don't let it have access to anything but dev environments. Continue using git.

Never had any issues.

show 1 reply