Zerobox is a cross-platform process sandboxing CLI written in Rust that provides lightweight security controls for running untrusted commands, particularly AI-generated code. Released as a "Show HN" post on March 30, 2026, the single-binary tool adds approximately 10ms overhead while providing file system isolation, network controls, and a novel secret injection system that keeps credentials invisible to sandboxed processes.
Deny-by-Default Sandboxing with Native OS Integration
Zerobox operates on a "deny by default" principle similar to Deno. The only operation commands can run by default is reading files—all writes and network I/O are blocked unless explicitly permitted. The system uses native sandboxing solutions on each OS, including BubbleWrap on Linux, and wraps commands with an MITM proxy for network-level control.
File and network controls allow restricting reads and writes to specific paths, allowing or denying outbound traffic by domain, and minimal environment inheritance (only PATH, HOME, USER, SHELL, TERM, and LANG by default). According to the developer: "this is the closest I was able to get when it comes to sandboxing commands locally" after exploring solutions including Firecracker VMs.
Secret Injection Keeps Credentials Invisible to Sandboxed Processes
The MITM proxy performs two functions: blocking network calls and injecting credentials at the network level. Processes see placeholder values like ZEROBOX_SECRET_a1b2c3d4e5... in environment variables, while the proxy substitutes real values only for approved hosts during network requests. As the documentation states: "the sandboxed process never sees the real value."
Example usage: zerobox --secret OPENAI_API_KEY=$OPENAI_API_KEY --secret-host OPENAI_API_KEY=api.openai.com -- bun agent.ts. This pattern is particularly novel—credentials remain invisible to sandboxed processes, reducing attack surface if the sandbox is breached. Unlike traditional VM-based sandboxing, Zerobox achieves minimal overhead (approximately 10ms) while providing fine-grained control.
AI Agent Safety and Multi-Agent System Integration
Primary use cases include AI agent safety for running LLM-generated code without risking file corruption or data exfiltration. Individual tool calls within multi-agent systems can be sandboxed independently with tailored permissions. Build and test protection prevents untrusted build scripts from modifying repositories.
The developer mentions future exploration of zerobox claude or zerobox openclaw which would wrap entire agents with preloaded policy profiles. A TypeScript SDK is available with a Deno-style API. Cross-platform support includes macOS and Linux, with Windows planned. Distribution is available via npm or shell script.
Zerobox uses sandboxing crates from the OpenAI Codex repository and adds functionalities like secret injection and SDK support. The tool received 100 points and 82 comments on Hacker News, indicating strong community interest in lightweight sandboxing solutions for AI safety.
Key Takeaways
- Zerobox is a cross-platform Rust CLI that provides process sandboxing with approximately 10ms overhead, significantly lighter than VM-based solutions
- The tool's secret injection system keeps real credentials invisible to sandboxed processes, substituting placeholders until approved network requests occur
- Default deny-all permissions require explicit allowlisting for file writes, network access, and environment variables
- Primary use cases include running AI-generated code safely and sandboxing individual tool calls within multi-agent systems
- Available via npm or shell script with TypeScript SDK support and native OS integration on macOS and Linux