Lock down AI agents with token and filesystem isolation

Summary

Agents can read SSH keys, push to remotes, hit production APIs, and execute shell commands with your full permissions. Credential leaks and destructive commands become operator error, not agent failure. Isolation and minimal scopes shift the risk model from 'trust the agent' to 'contain the agent.'

Why it matters

Agents can read SSH keys, push to remotes, hit production APIs, and execute shell commands with your full permissions. Credential leaks and destructive commands become operator error, not agent failure. Isolation and minimal scopes shift the risk model from 'trust the agent' to 'contain the agent.'

Sources

1. 1.They run with your permissions — which means anything you can do, they can do, including things you would never deliberately do.
2. 2.Default to read-only tokens. Most agent work doesn't need write access.
3. 3.Use read-only API tokens in local .env files — never admin or read-write credentials.
4. 4.Agents have full read/write access to your filesystem by default. They can read SSH keys, cloud credentials, browser data, and any file your user account can access.
5. 5.Don't use --dangerously-skip-permissions on macOS outside a Docker container or VM.
6. 6.For long-running autonomous tasks, sandbox first, then use --dangerously-skip-permissions inside the sandbox only.