TL;DR
Yolobox launches AI coding agents inside a container that grants them root inside the sandbox while preventing access to your host home directory by default. It bundles common developer tools and aliases AI CLIs to skip permission prompts so agents can run unattended in a controlled workspace.
What happened
A new tool called yolobox packages a containerized environment designed to let AI coding agents execute commands with full sudo privileges without risking the user's home directory. When you start yolobox from a project, that project is mounted at /workspace and is writable by the agent; the host home directory is not mounted unless the user explicitly opts in. The default base image includes language runtimes, build tools, Git, common utilities and AI CLIs. Inside the container the vendor provides aliases that remove interactive permission checks for agents, enabling fully automated runs. Configuration can be set globally (~/.config/yolobox/config.toml) or per-project (.yolobox.toml), with CLI flags taking precedence. Runtimes supported include Docker and Podman on Linux and Docker Desktop/OrbStack/Colima on macOS. The project is MIT licensed and provides scripts to install or build locally.
Why it matters
- Separates AI agent execution from the host home directory, reducing risk of accidental deletion of dotfiles and credentials.
- Allows developers to run agents in an unrestricted mode (sudo) inside a sandbox, useful for automated code changes or build tasks.
- Bundles common developer tooling and persistent volumes so tools and configs persist across sandbox sessions.
- Still exposes important attack surfaces: the project mount is writable, network access is available unless disabled, and the container grants root to the agent.
Key facts
- Installation options: one-line curl installer (requires Go) or clone the repository and run make install.
- Project directory is mounted at /workspace by default; the host home directory is not mounted unless configured.
- AI CLIs (Claude Code, Gemini CLI, OpenAI Codex) are aliased to skip permission prompts (e.g., claude –dangerously-skip-permissions).
- Base image includes Node.js 22, Python 3, common build tools (make, cmake, gcc), Git, GitHub CLI, and utilities like ripgrep and jq.
- Persistent volumes preserve tools and config across container sessions; yolobox reset –force deletes those volumes.
- Config files: ~/.config/yolobox/config.toml for global defaults and .yolobox.toml for project overrides; priority: CLI > project > global > defaults.
- Supported runtimes: Docker and Podman on Linux; Docker Desktop, OrbStack, or Colima on macOS.
- Memory note: Claude Code requires 4GB+ RAM allocated to Docker; Colima defaults to 2GB and can cause OOM kills unless increased.
- Auto-forwarded environment variables include ANTHROPIC_API_KEY, OPENAI_API_KEY, GITHUB_TOKEN/GH_TOKEN, OPENROUTER_API_KEY, and GEMINI_API_KEY.
- License: MIT.
What to watch next
- Memory allocation and runtime configuration for large models (e.g., Claude Code needs 4GB+ or will OOM under low Docker memory settings).
- Not confirmed in the source: whether third-party security audits or formal vulnerability reviews will be performed on yolobox.
- Not confirmed in the source: adoption and integration by major AI CLI vendors or platform providers.
Quick glossary
- Container: An isolated runtime environment that packages software and its dependencies so it runs consistently across systems.
- sudo: A Unix command that allows a permitted user to execute commands as the superuser (root) or another user.
- Mount: To make a host filesystem path available inside a container at a specified location.
- Persistent volume: A storage area that survives container restarts, used to preserve data, tools, or configuration between sessions.
- Sandbox: An isolated environment where code can run with limited access to the host system, used to reduce risk.
Reader FAQ
Does yolobox prevent the AI agent from deleting my home directory?
Yes — by default your host home directory is not mounted into the container, so agents cannot modify it unless you opt in.
Is my project directory protected?
No — the project is mounted read-write by default. Use –readonly-project to mount it read-only if you want outputs redirected to /output.
How do I install yolobox?
You can run the provided curl installer (requires Go) or clone the repo and run make install.
Does yolobox disable network access by default?
Not confirmed in the source.
██╗ ██╗ ██████╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ╚██╗ ██╔╝██╔═══██╗██║ ██╔═══██╗██╔══██╗██╔═══██╗╚██╗██╔╝ ╚████╔╝ ██║ ██║██║ ██║ ██║██████╔╝██║ ██║ ╚███╔╝ ╚██╔╝ ██║ ██║██║ ██║ ██║██╔══██╗██║ ██║ ██╔██╗ ██║ ╚██████╔╝███████╗╚██████╔╝██████╔╝╚██████╔╝██╔╝ ██╗ ╚═╝…
Sources
- Show HN: Yolobox – Run AI coding agents with full sudo without nuking home dir
- AI Agents Deleting Home Folders? Run Your Agent in Firejail …
- How to Safely Run AI Agents Like Cursor and Claude …
- Sandboxing AI Coding Agents: Network Firewall + …
Related posts
- Open-Meteo: free, open-source global weather API available for non-commercial use
- Building a 25 Gbit/s Testbench Workstation for the SCION Association
- LLVM: The bad parts — maintainers outline pain points and fixes