The problem:
AI agents are most useful when they have freedom—freedom to write code, install packages, run scripts, explore solutions. But that freedom is dangerous. One hallucinated rm -rf / or a malicious package install, and your host system pays the price.
So we restrict them. Limit file access. Disable network. Whitelist commands. The agent becomes safer but also dumber—unable to iterate, experiment, or recover from mistakes like a human developer would.
I wanted to give AI agents a full computer they could break without breaking mine.
Why not existing tools?
When I started sandboxing AI-generated code, nothing quite fit:
- Docker shares the host kernel—container escapes are a real attack surface, and that makes me nervous
- QEMU/libvirt is powerful but heavyweight—XML configs, daemon processes, steep learning curve
- Cloud sandboxes (E2B, Modal, etc.) work, but you're locked into their platform with limited customization
- Kata Containers is designed for Kubernetes orchestration, not for embedding in a Python script
The SQLite idea:
I've been thinking about why SQLite works so well. Before SQLite, databases meant running a server—PostgreSQL, MySQL, managing daemons, configuring connections. SQLite asked: what if it was just a library? No server. Just import sqlite3.
I wanted the same thing for VMs.
So I started building BoxLite—an attempt to make VMs embeddable like SQLite. A library call that gives you a real micro-VM with its own kernel. No daemon. No root.
import asyncio
import boxlite
async def main():
async with boxlite.SimpleBox(image="python:slim") as box:
result = await box.exec("python", "-c", "print('Hello from VM!')")
print(result.stdout)
asyncio.run(main())
To be clear: this is early.
It works on macOS Apple Silicon and Linux. You can pull OCI images, mount volumes, forward ports. There are some higher-level abstractions (BrowserBox for Playwright, ComputerBox for desktop automation).
But there are bugs. Boot time is 200ms for hot runs (I want it under 100ms). Documentation is thin. Error messages could be better. macOS Intel and Windows aren't supported. I haven't battle-tested it at scale.
I'm sharing it now because I'd rather build this with feedback than in isolation.
What I'd love to hear:
- Does the SQLite-for-VMs idea make sense, or am I stretching the analogy?
- What would you actually use this for?
- What's broken or confusing when you try it?
GitHub: https://github.com/boxlite-labs/boxlite
PyPI: https://pypi.org/project/boxlite/
dorianzheng•1h ago