Amy Engineering

How we sandbox untrusted browser tools

AT
Amy Team
Apr 7, 2026 · 1 min read

When an agent fetches a URL, it's running someone else's content inside your stack. The naive setup — same network, same egress, same secrets — is a footgun the moment a model decides a malicious page's instructions are worth following.

We isolate every browser run inside an ephemeral worker with no inbound network, scrubbed env, and a per-run egress allowlist. The agent doesn't know what it lost; the rest of the system doesn't know it ran.

The shape we settled on: one boundary per run, no shared state, and a kill switch that doesn't require human review. It's boring on purpose.

Want Amy to take this off your plate?
Pick a ready-made assistant and try it free.
Browse assistants
AT
Amy Team
Engineering

Keep reading