Hacker News

Favorites Setup
Comment by SwellJoe | original | ZCode – Harness for GLM-5.2
[−]SwellJoe · 2026-07-01 Wed 22:52 UTC · link
I don't run agents directly on my desktop/laptop machine. I run them in VMs or containers (sometimes in containers on VMs). There have been too many credentials stealing exploits via prompt injection and the like for me to be willing to let an agent roam around on my personal system.

I've also started creating new github deploy keys for each repo in use on a VM, so the blast area for any given agent disaster is "a couple/few github repos and whatever credentials were needed for the agent/model".

I wouldn't let a coworker, even one I know pretty well, log into my personal account on my machines...why would I let an agent that can be tricked into uploading all my credentials to an attackers web server?

The agents have sandboxes, but those are loose. Not enforced by anything outside of the agent harness itself.

[−]notshore · 2026-07-01 Wed 23:04 UTC · link
I'm working on a credential broker that would keep credentials vaulted and parcel out access on a per-grant basis. Is that something you'd find useful or is your setup comprehensive enough? We would be allowing people to draft access policies with natural language, I figured it would be useful for things like vercel, stripe access etc.
[−]0gs · 2026-07-02 Thu 01:04 UTC · link
fwiw, i built something simple like this into my harness thing (github.com/0gsd/enough). may not be complicated enough to do per application nowadays vs. needing a modularized outside solution, but it is certainly a good idea that seems to work!
[−]UnlockedSecrets · 2026-07-02 Thu 03:51 UTC · link
Not at all would i ever within the current technology constraints trust a "natural language model" to secure access to my own credentials, i will always keep it as completely isolated from anything at all i would consider 'risky' and pre-define before it begins what it could possibly access through a brand new VM with only the absolute minimal access to any git repo's and completely restrict to the extent that is allowable, it's ability to do anything outside of it's own playground. The playground is disposable, the potential for the LLM to access any of my own accounts and wreak havoc on the trust in my network is unacceptable under any rules....
[−]scorpioxy · 2026-07-01 Wed 23:48 UTC · link
Oh yeah, that sounds wise to me. Some people don't run the agents on a VM on their own machine and opt for a VPS somewhere. And I was wondering if privacy and security had anything to do with their decision.
[−]Avicebron · 2026-07-02 Thu 01:17 UTC · link
This is what I do, VMs in proxmox. It works really well.
[−]chrisweekly · 2026-07-02 Thu 02:27 UTC · link
Have you seen smolvm (from smolmachines)?
[−]drnick1 · 2026-07-02 Thu 04:41 UTC · link
Do you not find a dedicated UNIX user to be sufficient for the sake of protecting personal files, SSH keys, etc?
[−]Operyl · 2026-07-02 Thu 04:56 UTC · link
It's all fun and games until the model is smart enough to figure out privilege escalation, i.e. a lot of people don't realize Docker enabled on a regular user is enough for privilege escalation if you "follow the tutorials."
[−]krzyk · 2026-07-02 Thu 05:39 UTC · link
Agent that can apt-get is more useful.