Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents

https://github.com/amlalabs/amla-sandbox

13•souvik1997•1h ago

WASM sandbox for running LLM-generated code safely.

Agents get a bash-like shell and can only call tools you provide, with constraints you define. No Docker, no subprocess, no SaaS — just pip install amla-sandbox

Comments

westurner•1h ago

From the README:

> Security model

> The sandbox runs inside WebAssembly with WASI for a minimal syscall interface. WASM provides memory isolation by design—linear memory is bounds-checked, and there's no way to escape to the host address space. The wasmtime runtime we use is built with defense-in-depth and has been formally verified for memory safety.

> On top of WASM isolation, every tool call goes through capability validation: [...]

> The design draws from capability-based security as implemented in systems like seL4—access is explicitly granted, not implicitly available. Agents don't get ambient authority just because they're running in your process.

westurner•1h ago

From "Show HN: NPM install a WASM based Linux VM for your agents" re: https://github.com/deepclause/agentvm .. https://news.ycombinator.com/item?id=46686346 :

>> How to run vscode-container-wasm-gcc-example with c2w, with joelseverin/linux-wasm?

> linux-wasm is apparently faster than c2w.

container2wasm issue #550: https://github.com/container2wasm/container2wasm/issues/550#...

vscode-container-wasm-gcc-example : https://github.com/ktock/vscode-container-wasm-gcc-example

Cloudflare Runners also run WASM; with workerd:

cloudflare/workerd : https://github.com/cloudflare/workerd

...

"Cage" implements ARM64 MTE Memory Tagging Extensions support for WASM with LLVM emscripten iirc:

- "Cage: Hardware-Accelerated Safe WebAssembly" (2024) https://news.ycombinator.com/item?id=46151170 :

> [ llvm-memsafe-wasm , wasmtime-mte , ]

souvik1997•51m ago

agentvm looks very cool! They are taking a different approach - full Linux VM emulated in WASM. It's very impressive technically.

We differentiate from agentvm by being lightweight (~11 MB Wasm binary, compared to 173 MB for agentvm). Though there is still a lot we can learn from agentvm, thank you for sharing their project.

schmuhblaster•32m ago

Thank you! When I started working on agentvm my original goal was similar to yours, build a kind of Mingw or Cygwin for WASM. However, I quickly learned that this wouldn't really be feasible with reasonable amounts of time/token spend, mostly due to issues like having to find a way to make fork work, etc. I am no expert for WASM or Linux system programming, but it's been a lot of fun working on this stuff. I hope that the WASI standard and runtimes become more mature, as I feel that WASM sandboxes make a lot of sense in environments where containers are not an option.

westurner•18m ago

"Rethinking Code Refinement: Learning to Judge Code Efficiency" https://news.ycombinator.com/item?id=42097656

eWASM has costed opcodes. The EVM virtual machine has not implemented eWASM.

Costed opcodes in WASM for agents could incentivize efficiency

re: wasm-bpf and eWASM and the BPF verifier: https://news.ycombinator.com/item?id=42092120

ewasm docs > Gas Costs > "Gas costs of individual instructions" https://ewasm.readthedocs.io/en/mkdocs/determining_wasm_gas_...

Browser tabs could show CPU, RAM, GPU utilization;

From "The Risks of WebAssembly" (2022) https://news.ycombinator.com/item?id=32765865 :

> Don't there need to be per- CPU/RAM/GPU quotas per WASM scope/tab? Or is preventing DOS with WASM out of scope for browsers?

> IIRC, it's possible to check resource utilization in e.g. a browser Task Manager, but there's no way to do `nice` or `docker --cpu-quota` or `systemd-nspawn --cpu-affinity` to prevent one or more WASM tabs from DOS'ing a workstation with non-costed operations.

Presumably workerd supports resource quotas somehow?

From 2024 re: Process isolation in browsers : https://news.ycombinator.com/item?id=40861851 :

> From "WebGPU is now available on Android" [...] (2022) :

>> What are some ideas for UI Visual Affordances to solve for bad UX due to slow browser tabs and extensions?

>> UBY: Browsers: Strobe the tab or extension button when it's beyond (configurable) resource usage thresholds

>> UBY: Browsers: Vary the {color, size, fill} of the tabs according to their relative resource utilization

souvik1997•4m ago

Thanks for sharing the context! The fork problem is gnarly. Makes sense that full Linux emulation was the path forward for your use case.

Agreed on WASI maturity. We're hoping the component model lands in a stable form soon. Would love to see the ecosystem converge so these approaches can interoperate.

quantummagic•58m ago

Sure, but every tool that you provide access to, is a potential escape hatch from the sandbox. It's safer to run everything inside the sandbox, including the called tools.

souvik1997•47m ago

That's definitely true. Our model assumes tools run outside the sandbox on a trusted host—the sandbox constrains which tools can be called and with what parameters. The reason for this is most "useful" tools are actually just some API call over the network (MCP, REST API, etc.). Then you need to get credentials and network access into the sandbox, which opens its own attack surface. We chose to keep credentials on the host and let the sandbox act as a policy enforcement layer: agents can only invoke what you've explicitly exposed, with the constraints you define.

syrusakbary•54m ago

This is great!

While I think that with their current choice for the runtime will hit some limitations (aka: not really full Python support, partial JS support), I strongly believe using Wasm for sandboxing is the way for the future of containers.

At Wasmer we are working hardly to make this model work. I'm incredibly happy to see more people joining on the quest!

souvik1997•43m ago

Appreciate your support! We deliberately chose a limited runtime (quickjs + some shell applets). The tool parameter constraint enforcement was more important to us than language completeness. For agent tool calling, you don't really need NumPy and Pandas.

Wasmer is doing great work—we're using wasmtime on the host side currently but have been following your progress. Excited to see WASM sandboxing become more mainstream for this use case.

syrusakbary•38m ago

> For agent tool calling, you don't really need NumPy and Pandas.

That's true, but you'll likely need sockets, pydantic or SQLAlchemy (all of of them require heavy support on the Wasm layer!)

souvik1997•4m ago

Fair point. We get around this by "yielding" back from the Wasm runtime (in a coroutine style) so that the "host" can do network calls or other IO on behalf of the Wasm runtime. But it would be great to do this natively within Wasm!

apignotti•39m ago

Hi, if you like the idea of Wasm sandboxing you might be interested in what we are working on: BrowserPod :-)

https://labs.leaningtech.com/blog/browserpod-beta-announceme...

https://browserpod.io

syrusakbary•34m ago

Browserpod is great, been following it for a bit. Keep the good work up!

The main issue that I see with Browserpod is very similar to Emscripten: it's designed to work mainly in the browser, and not outside.

In my view, where Wasm really shines, is for enabling containers that work seamlessly in any of this environments: browsers, servers, or even embedded in apps :)

apignotti•31m ago

It is true that BrowserPod is currently focused on browsers environment, but there is nothing preventing the technology from running on native as well. It would requite some work, but nothing truly challenging :-)

asyncadventure•3m ago

Really appreciate the pragmatic approach here. The 11MB vs 173MB difference with agentvm highlights an important tradeoff: sometimes you don't need full Linux compatibility if you can constrain the problem space well enough. The tool-calling validation layer seems like the sweet spot between safety and practical deployment.

The Internet Sucks Now

Detecting Dementia Using Lexical Analysis: Terry Pratchett's Discworld

Efficient String Compression for Modern Database Systems

Supply-chain attack: skill.md is like an unsigned binary

Beware: Government Using Image Manipulation for Propaganda

Why Unique Cross-Leg Designs Outperform Corner Legs

Human life span heritability is about 50% when confounding factors are addressed

Did We Overestimate the Potential Harm from Microplastics?

Show HN: Julie Zero – my screen-aware desktop AI that works out of the box

Ask HN: Anyone tried Spotify's AI DJ feature?

Apple reports first quarter results

Why do people support or oppose bike lanes? Shedding light on public opinion

Show HN: I Made Something Weird

I replaced a $120/year micro-SaaS in 20 minutes with LLM-generated code

Show HN: We Built a "Nano Banana" for 3D Editing

Journalist Don Lemon has been arrested

Show HN: Piano Dojo – Guitar Hero for Piano

Lemonade Autonomous Car Insurance (With Tesla FSD Discount)

The Absurdity of the Tech Bro – Mountainhead

I Built Gungi from Hunter X Hunter – Play It Now

Why "Plot" Isn't a Four-Letter Word

GNU FTP Server

Complaining about Windows 11 hasn't stopped it from hitting 1B users

U.S. Judge in Mangione Case Rules Prosecutors Cannot Seek Death Penalty

Pi Monorepo: Tools for building AI agents and managing LLM deployments

Ksnip the cross-platform screenshot and annotation tool

Hey, ChatGPT: Where Should I Go to College?

Disrupting the IPIDEA residential proxy network

Synchronization

Shopify connects any merchant to every AI conversation