Agent Safehouse

3 min read Original article ↗

Go full --yolo. We've got you.

macOS-native sandboxing for local agents. Move fast, break nothing.

LLMs are probabilistic - 1% chance of disaster makes it a matter of when, not if.

youa fine-tuned MacBook Pro, crafted to perfection

agentthinking...

$ rm -rf ~

you!@#$ I told you, "Make no mistakes".

agentYou're absolutely right! 👁️ 👉👈 👁️

Tested against all leading agents sleeper agents

All agents work perfectly in their sandboxes, but can't impact anything outside it.

Deny-first access model

Agents inherit your full user permissions. Safehouse flips this — nothing is accessible unless explicitly granted.

~/my-project/read/write

~/shared-lib/read-only

~/.ssh/denied

~/.aws/denied

~/other-repos/denied

Getting started

Download a single shell script, make it executable, and run your agent inside it. No build step, no dependencies — just Bash and macOS.

bash

# 1. Download safehouse (single self-contained script)
mkdir -p ~/.local/bin
curl -fsSL https://raw.githubusercontent.com/eugene1g/agent-safehouse/main/dist/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

# 2. Run any agent inside Safehouse
cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions

Safehouse automatically grants read/write access to the selected workdir (git root by default) and read access to your installed toolchains. Most of your home directory — SSH keys, other repos, personal files — is denied by the kernel.

See it fail — proof the sandbox works

Try reading something sensitive inside safehouse. The kernel blocks it before the process ever sees the data.

bash

# Try to read your SSH private key — denied by the kernel
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permitted

# Try to list another repo — invisible
safehouse ls ~/other-project
# ls: /Users/you/other-project: Operation not permitted

# But your current project works fine
safehouse ls .
# README.md  src/  package.json  ...

Safe by default with shell functions

Add these to your shell config and every agent runs inside Safehouse automatically — you don't have to remember. To run without the sandbox, use command claude to bypass the function.

POSIX shells (zsh / bash)

bash

# ~/.zshrc or ~/.bashrc
safe() { safehouse --add-dirs-ro=~/mywork "$@"; }

# Sandboxed — the default. Just type the command name.
claude()   { safe claude --dangerously-skip-permissions "$@"; }
codex()    { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }
amp()      { safe amp --dangerously-allow-all "$@"; }
gemini()   { NO_BROWSER=true safe gemini --yolo "$@"; }

# Unsandboxed — bypass the function with `command`
# command claude               — plain interactive session

fish

fish

# ~/.config/fish/config.fish
function safe
    safehouse --add-dirs-ro="$HOME/mywork" $argv
end

# Sandboxed helpers without overriding the original binary names.
function sandbox-claude
    safe claude --dangerously-skip-permissions $argv
end

function sandbox-codex
    safe codex --dangerously-bypass-approvals-and-sandbox $argv
end

function sandbox-amp
    safe amp --dangerously-allow-all $argv
end

function sandbox-gemini
    set -lx NO_BROWSER true
    safe gemini --yolo $argv
end

Generate your own profile with an LLM

Use a ready-made prompt that tells Claude, Codex, Gemini, or another model to inspect the real Safehouse profile templates, ask about your home directory and toolchain, and generate a least-privilege `sandbox-exec` profile for your setup.

The guide also tells the LLM to ask about global dotfiles, suggest a durable profile path like ~/.config/sandbox-exec.profile, offer a wrapper that grants the current working directory, and add shell shortcuts for your preferred agents.

Open the copy-paste prompt