Sandboxing coding agents doesn't solve the credential authorization gap

The post, authored by Or Weis and published on the Permit.io blog, draws a sharp distinction between two security properties that are frequently conflated: host isolation and authority isolation. Host isolation — containers, microVMs, seccomp profiles, egress controls, read-only mounts — answers the question of how far a malicious process can move on a host machine. Authority isolation answers a different question: what can the process do through legitimate APIs and trusted control planes? An agent with a token that can merge to `main`, trigger a production deploy, or read secrets from a vault doesn't need a kernel escape to cause serious damage.

The post argues that most teams underestimate the credential surface of a coding agent because they reason only about what was explicitly passed via environment variables.

The post argues that most teams underestimate the credential surface of a coding agent because they reason only about what was explicitly passed via environment variables. In practice, authority leaks through many side channels: local CLIs already authenticated, warm browser sessions, CI tokens in repo secrets, and MCP servers that proxy additional capabilities. The post references a Hacker News thread on Claude Code security in which engineers specifically called out Gmail access, password-reset abuse, browser-profile exposure, and `.env`/MCP pathways as the real concerns — not whether an agent can delete local files.

The credential inventory the post identifies as practically significant includes GitHub App tokens and PATs (where scope distinctions like `repo:read` vs. `contents:write` or `org-admin` are critical), package registry credentials for npm, PyPI, and crates.io (described as distribution-plane risk, since a compromised publish token can ship malicious artifacts even if source control remains clean), and cloud CLI/API credentials across AWS, GCP, and Azure. The post frames least-privilege for coding agents as a requirement that must model all of these surfaces, not just `.env` files. The source text is truncated before the full proposed runtime permission model is described.

Key facts

1. 01Host isolation (containers, microVMs, seccomp) and authority isolation (what an agent can do via legitimate APIs) are distinct security properties that are frequently conflated.
2. 02An agent holding a high-scope GitHub PAT and cloud CLI credentials remains a high-authority operator regardless of sandbox hardening.
3. 03Authority leaks through side channels: pre-authenticated local CLIs, warm browser sessions, CI tokens in repo secrets, and MCP servers.
4. 04GitHub token scope distinctions — e.g., `repo:read` vs. `contents:write` or `org-admin` — are described as critical to limiting agent authority.
5. 05Package registry credentials (npm, PyPI, crates.io) represent distribution-plane risk: a compromised publish token can ship malicious artifacts even if source control is intact.
6. 06Cloud CLI/API credentials (AWS, GCP, Azure) become infrastructure authority when reachable by an agent runtime.
7. 07A Hacker News thread on Claude Code security is cited, with engineers flagging Gmail access, password-reset abuse, and browser-profile exposure as the real concerns over sandbox breakout.

Topics