From ebd32274f5966fd37c6ccde85e043b9941b0c61b Mon Sep 17 00:00:00 2001 From: Ondrej Drapalik Date: Fri, 10 Jul 2026 23:56:43 +0200 Subject: [PATCH] docs(agents): qualify "safe inside E2B sandboxes" auto-approve claim The unqualified "(safe inside E2B sandboxes)" note on the auto-approve flags implied full safety, but sandboxes have open outbound internet by default. Scope the claim to host/filesystem isolation and point readers to egress network rules when handling untrusted input or secrets. - Reword the headless auto-approve sentence on claude-code, codex, grok, and amp to drop the blanket claim and link /docs/network/internet-access - Add a shared explaining containment covers the host but not the network, with allow/deny-list guidance (hostname rules = HTTP(S) only) - Add the same to devin for consistency Verified empirically: default sandbox egress is open (HTTP 200), and both allowInternetAccess:false and hostname allow-lists block it, while the host stays untouched in every posture. Closes INT-88 --- docs/agents/amp.mdx | 6 +++++- docs/agents/claude-code.mdx | 6 +++++- docs/agents/codex.mdx | 6 +++++- docs/agents/devin.mdx | 4 ++++ docs/agents/grok.mdx | 6 +++++- 5 files changed, 24 insertions(+), 4 deletions(-) diff --git a/docs/agents/amp.mdx b/docs/agents/amp.mdx index 197b7081..728c803b 100644 --- a/docs/agents/amp.mdx +++ b/docs/agents/amp.mdx @@ -22,7 +22,11 @@ amp ## Run headless -Use `-x` for non-interactive mode and `--dangerously-allow-all` to auto-approve all tool calls (safe inside E2B sandboxes). Amp uses its own API key from [ampcode.com/settings](https://ampcode.com/settings). +Use `-x` for non-interactive mode and `--dangerously-allow-all` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Amp uses its own API key from [ampcode.com/settings](https://ampcode.com/settings). + + +Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols. + ```typescript JavaScript & TypeScript diff --git a/docs/agents/claude-code.mdx b/docs/agents/claude-code.mdx index 68c3423a..d401fe36 100644 --- a/docs/agents/claude-code.mdx +++ b/docs/agents/claude-code.mdx @@ -22,7 +22,11 @@ claude ## Run headless -Use `-p` for non-interactive mode and `--dangerously-skip-permissions` to auto-approve all tool calls (safe inside E2B sandboxes). +Use `-p` for non-interactive mode and `--dangerously-skip-permissions` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access) if the agent processes untrusted input or handles secrets. + + +Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols. + ```typescript JavaScript & TypeScript diff --git a/docs/agents/codex.mdx b/docs/agents/codex.mdx index 7b6f854f..f51b1b26 100644 --- a/docs/agents/codex.mdx +++ b/docs/agents/codex.mdx @@ -22,7 +22,11 @@ codex ## Run headless -Use `codex exec` for non-interactive mode and `--full-auto` to auto-approve tool calls (safe inside E2B sandboxes). Pass `--skip-git-repo-check` to bypass git directory ownership checks inside the sandbox. Pass `CODEX_API_KEY` as an environment variable. +Use `codex exec` for non-interactive mode and `--full-auto` to auto-approve tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Pass `--skip-git-repo-check` to bypass git directory ownership checks inside the sandbox. Pass `CODEX_API_KEY` as an environment variable. + + +Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols. + ```typescript JavaScript & TypeScript diff --git a/docs/agents/devin.mdx b/docs/agents/devin.mdx index aeab69b8..180fc9fe 100644 --- a/docs/agents/devin.mdx +++ b/docs/agents/devin.mdx @@ -25,6 +25,10 @@ source /home/user/.bashrc After installation and login, use `devin -p` for non-interactive mode and `--permission-mode dangerous` to auto-approve tool calls. + +Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols. + + ```bash mkdir -p /home/user/project cd /home/user/project diff --git a/docs/agents/grok.mdx b/docs/agents/grok.mdx index e5c9437a..9eb8fbb4 100644 --- a/docs/agents/grok.mdx +++ b/docs/agents/grok.mdx @@ -22,7 +22,11 @@ grok ## Run headless -Use `-p` for non-interactive mode and `--always-approve` to auto-approve all tool calls (safe inside E2B sandboxes). Grok Build authenticates with an API key from the [xAI console](https://console.x.ai) via the `XAI_API_KEY` environment variable. +Use `-p` for non-interactive mode and `--always-approve` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Grok Build authenticates with an API key from the [xAI console](https://console.x.ai) via the `XAI_API_KEY` environment variable. + + +Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols. + ```typescript JavaScript & TypeScript