Hacker News

Favorites Setup
Comment by SwellJoe | original | ZCode – Harness for GLM-5.2
[−]SwellJoe · 2026-07-01 Wed 20:08 UTC · link
I don't even know what I would do with a desktop app. I'm running these things in headless VMs, so I can run them with `--dangerously-skip-permissions` or whatever. I don't trust them, even without that flag, on my desktop/laptop.
[−]InsideOutSanta · 2026-07-01 Wed 20:49 UTC · link
Zcode allows you to connect to a Docker container, or to a VM using ssh.
[−]teaspoon · 2026-07-01 Wed 20:52 UTC · link
Good desktop apps in this category can manage agents across any number of remote SSH hosts.
[−]SwellJoe · 2026-07-01 Wed 21:20 UTC · link
But, it's still running on my desktop/laptop. I don't trust them to run on my machine. But, I guess I could run one VM with a desktop to contain the desktop app. Or, just keep using CLI agents.
[−]scorpioxy · 2026-07-01 Wed 22:20 UTC · link
Is the trust concern for the agent running in any form on your machine? Like in a VM on your machine as well or do you mean on the host itself?

I have read about people giving an agent full access to their main system saying they have nothing of value. To me, that's a strange opinion to have with the distinction between what's private and what's secret.

[−]SwellJoe · 2026-07-01 Wed 22:52 UTC · link
I don't run agents directly on my desktop/laptop machine. I run them in VMs or containers (sometimes in containers on VMs). There have been too many credentials stealing exploits via prompt injection and the like for me to be willing to let an agent roam around on my personal system.

I've also started creating new github deploy keys for each repo in use on a VM, so the blast area for any given agent disaster is "a couple/few github repos and whatever credentials were needed for the agent/model".

I wouldn't let a coworker, even one I know pretty well, log into my personal account on my machines...why would I let an agent that can be tricked into uploading all my credentials to an attackers web server?

The agents have sandboxes, but those are loose. Not enforced by anything outside of the agent harness itself.

[−]notshore · 2026-07-01 Wed 23:04 UTC · link
I'm working on a credential broker that would keep credentials vaulted and parcel out access on a per-grant basis. Is that something you'd find useful or is your setup comprehensive enough? We would be allowing people to draft access policies with natural language, I figured it would be useful for things like vercel, stripe access etc.
[−]0gs · 2026-07-02 Thu 01:04 UTC · link
fwiw, i built something simple like this into my harness thing (github.com/0gsd/enough). may not be complicated enough to do per application nowadays vs. needing a modularized outside solution, but it is certainly a good idea that seems to work!
[−]UnlockedSecrets · 2026-07-02 Thu 03:51 UTC · link
Not at all would i ever within the current technology constraints trust a "natural language model" to secure access to my own credentials, i will always keep it as completely isolated from anything at all i would consider 'risky' and pre-define before it begins what it could possibly access through a brand new VM with only the absolute minimal access to any git repo's and completely restrict to the extent that is allowable, it's ability to do anything outside of it's own playground. The playground is disposable, the potential for the LLM to access any of my own accounts and wreak havoc on the trust in my network is unacceptable under any rules....
[−]scorpioxy · 2026-07-01 Wed 23:48 UTC · link
Oh yeah, that sounds wise to me. Some people don't run the agents on a VM on their own machine and opt for a VPS somewhere. And I was wondering if privacy and security had anything to do with their decision.
[−]Avicebron · 2026-07-02 Thu 01:17 UTC · link
This is what I do, VMs in proxmox. It works really well.
[−]chrisweekly · 2026-07-02 Thu 02:27 UTC · link
Have you seen smolvm (from smolmachines)?
[−]drnick1 · 2026-07-02 Thu 04:41 UTC · link
Do you not find a dedicated UNIX user to be sufficient for the sake of protecting personal files, SSH keys, etc?
[−]Operyl · 2026-07-02 Thu 04:56 UTC · link
It's all fun and games until the model is smart enough to figure out privilege escalation, i.e. a lot of people don't realize Docker enabled on a regular user is enough for privilege escalation if you "follow the tutorials."
[−]krzyk · 2026-07-02 Thu 05:39 UTC · link
Agent that can apt-get is more useful.
[−]ghm2199 · 2026-07-01 Wed 22:58 UTC · link
For local tasks you can only give agents delegated that execute your deterministic read or write on an allowed set of files(e.g pi does this) and execute rights only on containers with no network access. That should get you 95% unblocked for most tasks you want to do with an LLM pretty safely.

You can do a brainstorming with web on a remote container prototyping based on that brainstorm on another container with no network access.

The one thing that is less trustworthy is using local agents for service management, you definitely want to have them scoped to dev/testing. I would never trust an agent to execute any command in production or sensitive data at all

[−]csomar · 2026-07-02 Thu 01:22 UTC · link
I mean, if the execution happen on the VM then the problem is trust on the programs and then you can't trust any program by that logic? That or you think AI-companies software is serious slop.
[−]jen20 · 2026-07-02 Thu 02:38 UTC · link
Slop is less of a problem than the incentive such companies have to “accidentally” hoover up whatever data is accessible.
[−]miroljub · 2026-07-02 Thu 05:41 UTC · link
Do you also run your browser in the VM? Why would an agent be less trusted than any other piece of software?
[−]SwellJoe · 2026-07-02 Thu 05:57 UTC · link
I don't run anything but the agent and the project it's working on and the tools it needs to work on the project in the VM.

You can't see how the agent having no access to anything other than what it's working on is safer than the agent having access to my home directory with all of my credentials?

Look, you do whatever you want to do with your agents and your computer. I'm going to...contain them.

https://venturebeat.com/security/six-exploits-broke-ai-codin...

[−]nutjob2 · 2026-07-01 Wed 21:40 UTC · link
What's stopping a CLI from doing the same?

I've never used IDEs and never will, why are these things being constantly shoved down our throats?

[−]mattnewton · 2026-07-02 Thu 01:20 UTC · link
But then I close my laptop and it’s not running on the headless host anymore right
[−]SwellJoe · 2026-07-02 Thu 02:22 UTC · link
That's also true if you're running the agent directly on your laptop OS.

In that case, maybe you want VMs at hosting providers. There are companies building ephemeral VM and container orchestration layers for this kind of thing, I haven't played with them, though. It seems like a reasonable idea, though. One isolated environment per project or repo. Only the secrets needed for that one project and an agent that can't reach outside of it.

I've considered building something along those lines, and actually do run my security auditing benchmarks in containers automatically (that was originally to prevent the models from cheating, because you can disable network, but it has other pleasant side effects).

It's actually not that big of a lift these days to spin up containers on-demand and put just what's needed inside it (including the authentication info for the agent). I probably should automate it..right now I just have four permanent VMs setup for my various types of work: My day job, my open source projects, my benchmark and security work, and some side projects. Plus some temporary ones for experiments.

[−]anavat · 2026-07-02 Thu 05:21 UTC · link
No, it actually continues running headless on the host, and you can reconnect from another laptop or mobile phone, or even ssh to the host and attach to the session. At least Codex desktop app works this way.
[−]dandaka · 2026-07-02 Thu 07:26 UTC · link
Codex, Claude Code, ZAI — they continue work in headless mode, when you close your laptop, if you have connected to remote machine
[−]htrp · 2026-07-02 Thu 02:10 UTC · link
Examples here?
[−]FergusArgyll · 2026-07-01 Wed 22:02 UTC · link
I finally repurposed an old server just for that and for anyone reading who has not had a chance to use --dangerously-etc. it's awesome, do it :)
[−]ahmadyan · 2026-07-01 Wed 22:56 UTC · link
a well-design IDE should abstract that away, i.e. run the agent in the headless VMs while give you an abstraction that you would feel like you are running the agent locally with all the benefits (editor, browser, diffs, debugger, etc)
[−]aussieguy1234 · 2026-07-02 Thu 02:20 UTC · link
I just back up my entire home folder to another device, then let it rip
[−]knocte · 2026-07-02 Thu 06:01 UTC · link
I shared your fear some weeks/months ago so I was always using my harness in the cloud. However, latency started to become an issue when I traveled to other countries where I needed a VPN... so I ended up cooking skynot to be able to trust running my harness in my own computer: https://github.com/tarsgate/skynot (PRs welcome if you want to add support for another harness different than Pi)
[−]nicoty · 2026-07-02 Thu 06:32 UTC · link
I've contributed to https://github.com/0xferrous/agent-box which allows you to bind-mount git repositories into containers that agents operate in, preventing the agents from accessing files that aren't bind-mounted. Your usual .gitignore can then be used to also ignore files within the repo to be bind-mounted, which prevents agents from accessing them at all, essentially working as a sandbox.

I also maintain https://github.com/nothingnesses/agent-images which allows you to use Nix to reproducibly spin up OCI container images containing agents and any other tools you need for development and use these with agent-box.

I use both at the moment to work on some personal projects with agents, where I set up multiple separate git worktrees for the agents to work in, preventing them from accessing anything outside of the worktrees and from trampling over each other's work.

[−]raphinou · 2026-07-02 Thu 06:50 UTC · link
In case anyone is interested, I'm also using bash scripts to run my agents in containers. It's simple, but has only bash and docker as dependency: https://github.com/asfaload/agents_container
[−]LuD1161 · 2026-07-02 Thu 07:05 UTC · link
Might wanna check out https://github.com/LuD1161/agentjail - policy guardrails for coding agents.

shameless self-plug. I've been dogfooding it for the last 3 weeks now.

[−]Scrounger · 2026-07-02 Thu 07:39 UTC · link
> I'm running these things in headless VMs

What's your setup like and what do you use it for?

I have a M2 Max MBP with plenty of ram and I use VSCode + Zoo Code plugin with Qwen3-Coder-Next-GGUF:UD-Q4_K_XL to run local agentic coding sessions, but I'm intrigued by being able to run headless as I could probably run multiple instances in parallel to do stuff?

Like are you using UTM with some pre-built VM and a local LLM?

Curious.