Sandboxing AI Agents with WebAssembly: Zero Authority by Default

Cosmonic's post, currently trending on HN, makes a strong case that conventional Linux sandboxing mechanisms — seccomp, seatbelt, bubblewrap — are fundamentally unsuited for agentic AI workloads. The core problem: ambient authority.
The Ambient Authority Problem
Every modern runtime gives a process whatever permissions its environment provides: filesystem, network, the user's git credentials, an AWS API key in ENV. The process never asked for them. For deterministic human-written binaries, you can maybe manage this risk with audits. But LLM agents and non-deterministic workflows inherit the developer's full identity and capabilities, creating an 'intolerable attack surface.'
The author calls this the cartographer's dilemma: you're trying to map a shifting coastline of exfiltration paths, and the LLM will find every unmapped cove.
WebAssembly's Capability Model
Cosmonic positions WebAssembly and WASI as the alternative. A Wasm component starts with zero authority: no filesystem, no network, no syscalls, no env vars. Any capability must be a typed import in the component's interface. This is Mark Miller's object-capability model as a runtime: the reference is the permission.
Key implications:
- Virtualized grants: a filesystem capability doesn't hand over
/etc. It provides an interface backed by any store (tmpfs, per-session blob, database). The component cannot escape the abstraction. - Composable capabilities: instead of importing 'the network,' a component imports
wasi:httpwith allowed traffic shapes, orwasi:keyvaluewith a specific bucket. Every capability is named, scoped, and reviewable.
This shifts the security model from 'allow by default, restrict by exception' to 'deny by default, grant explicitly.' The author argues this is the only sound foundation for AI agent security.
📖 Read the full source: HN AI Agents
👀 See Also

Security vulnerabilities exposed in Lovable-showcased EdTech app
A security researcher found 16 vulnerabilities in a Lovable-showcased EdTech app, including critical auth logic flaws that exposed 18,697 user records without authentication. The app had 100K+ views on Lovable's showcase and real users from UC Berkeley, UC Davis, and schools worldwide.

Secure and Protect OpenClaw in Just 2 Minutes with Nono Kernel-Based Isolation
OpenClaw users can now enjoy enhanced security without compromising performance, thanks to Nono kernel-based isolation, a quick and effective solution that takes just two minutes.

Cisco source code stolen via Trivy supply chain attack
Cisco's internal development environment was breached using stolen credentials from the Trivy supply chain attack, resulting in the theft of source code from over 300 GitHub repositories including AI-powered products and customer code.

Architectural fix for AI agent over-centralization: separating memory, execution, and outbound actions
A developer realized their AI assistant was becoming an 'internal autocrat' by handling long-term memory, tool access, and autonomous decisions in one component. The solution involved separating the system into three roles: private controller, scoped workers, and outbound gate.