A
argbe.tech - news
1min read

NVIDIA AI Red Team’s sandbox control checklist for agentic coding tools

NVIDIA’s AI Red Team outlined OS-level sandbox controls for agentic workflows to reduce indirect prompt-injection risk. The guidance focuses on limiting network, filesystem writes, and configuration tampering across all spawned processes.

NVIDIA’s AI Red Team published a security playbook for sandboxing agentic coding workflows that run tools with user-level permissions.

  • The main threat model is indirect prompt injection, including hostile instructions embedded in repos/PRs, git history, .cursorrules, agent rule files (such as AGENT.md), or malicious MCP responses.
  • Mandatory controls highlighted include tight network egress, blocking file writes outside the workspace, and preventing edits to configuration files anywhere on disk to reduce persistence and RCE paths.
  • Recommended hardening adds blocking reads outside the workspace, sandboxing the entire IDE plus spawned hooks/MCP startup scripts/tool calls, and running components as separate OS users when possible.
  • For isolation strength, the post points to virtualization boundaries (microVMs, Kata Containers, or full VMs) to separate the sandbox kernel from the host kernel.
  • The guidance also calls out per-action approvals for high-risk operations (for example, network connections), warning that “allow once, run many” patterns don’t provide reliable enforcement.