Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Granted, I just started playing around with OpenCode (but been using Codex and Claude Code since they were initially available, so not first time with agents), but anyways:

> they need broad file system access to be useful, but that access surface is also the attack surface

Do they? You give them access to one directory typically (my way is to create a temporary docker container that literally only has that directory available, copied into the container on boot, copied back to the host once the agent completed), and I don't think I've needed them to have "broad file system access" at any point, to be useful or otherwise.

So that leads me to think I'm misunderstanding either what you're saying, or what you're doing?



This is the way. If you’re not running your agent harness/framework in a container with explicit bind mounts or copy-on-build then you’re doing it wrong. Whenever I see someone complain about filesystem access and sequirity risk it’s a clear signal of incompetence imo.


> container with explicit bind mounts

Someone correct me if I'm wrong, but if you're doing bind-mounts, ensure you do read-only, if you're doing bi-directional bind mounts with docker, the agent could (and most likely know how to) create a symlink that allows them to browse outside the bind mount.

That's why I explicitly made my tooling do "Create container, copy over $PWD, once agent completes, copy back to $PWD" rather than the bind-mount stuff.


> create a symlink that allows them to browse outside the bind mount Could you reproduce that? iiuc the symlink that the agent creates should follow to the path that's still inside the container.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: