Endo Familiar: Object-Capability Sandbox for AI Agents

The Endo Familiar demo, built on HardenedJS and the object-capability (ocap) security model, addresses the fundamental security flaw in current AI agent frameworks: the "credential bag problem." Most agents today receive full access to file systems, API keys, and credentials, creating a single point of failure where prompt injection or misalignment can cause catastrophic damage.

How it works

In the demo, engineer Kris Kowal spawns an agent named lal with a single capability: reading an instruction primer. No filesystem access, no network, no credentials. The agent can only act on what it explicitly holds a reference to. When file operations are needed, a mount of a specific directory is created — not a general filesystem gateway. The mount cannot traverse above its root, cannot follow symlinks out of the tree, and cannot escape its boundaries by construction. That mount is handed to the agent as a reference.

The agent then writes a program that produces a read-only view of a directory. The generated code runs in a sandbox with no ambient capabilities. The output is a narrower capability derived from the original, and that narrowed capability is handed back to the agent. At each step, the scope of authority shrinks to exactly what is needed.

Key technical details

• Object-capability model: A reference is authority. No ambient permissions pool exists. If code doesn't hold a reference, it cannot forge one.
• No traversal escape: File system mounts cannot follow symbolic links or escape their root directory.
• Sandboxed code generation: The agent writes programs in a sandbox that has no built-in capabilities; all inputs are explicit references.
• WebSocket relay: A colleague joins over a WebSocket relay to share a remote directory. The agent summarizes the remote files without ever knowing they are remote — it only holds a reference to a read-only view.

Why this matters now

The article argues that AI agent deployment is accelerating dangerously without a proper security foundation. The same mistake made by social media apps a decade ago — granting full user privileges to third-party code — is being repeated with AI agents. The Endo approach ensures that even if an agent is hijacked via prompt injection, the damage is limited to the specific capabilities it was granted.