Is sandbox enabled by default?

[siwatanejo]

I'm a bit scared about running this on my computer (and right now I can't be bothered to setup a VPS), so my question is very simple: if I run "git clone $someRepoUrl && cd someRepo" and then execute pi from that folder, am I absolutely sure that the AI won't read or write any files outside that folder?

Documentation on this subject seems to be a bit confusing, sorry if I'm asking a dumb question.

PS: Saw some stuff like leash which seems to hint that sandbox is indeed not default. But I was looking for something more robust (at the OS level), not just a blacklist of commands.

Cheers

[openingnow]

I believe not. I asked pi to check other users of this computer and it succesfully executed cat /etc/passwd | cut -d: -f1 && echo "---" && ls -la /home/.

Also check https://mariozechner.at/posts/2025-11-30-pi-coding-agent/#toc_13

pi runs in full YOLO mode and assumes you know what you're doing. It has unrestricted access to your filesystem and can execute any command without permission checks or safety rails.

[siwatanejo]

Ok thanks for your reply, I read that blog post and I understand things better.

However, then there's this thing called mom that seems to be able to run sandboxed easily? But I'm not sure I understand what it is, because it says something about Slack and I don't use Slack.

[rigr]

ALWAYS run pi in a virtual machine - at least wsl (linux under windows).
MOM should also sit in a separate machine - you never know what might be executed.
Running those in your home is way to dangerous.
I have pi running in wsl and it works just fine.

[siwatanejo]

ALWAYS run pi in a virtual machine

Bro I haven't even run pi even once yet; I precisely started this thread in order to understand it better before running it.

[siwatanejo]

Interesting idea I just saw in HN that can easily help running pi under an easy sandbox: https://news.ycombinator.com/item?id=47301085 ( https://agent-safehouse.dev/ ( https://github.com/eugene1g/agent-safehouse ) )

[Eckii24]

Haven't checked it to its tiny details, but doesn't it use the same sandboxing like this extension from the examples?
https://github.com/badlogic/pi-mono/blob/main/packages/coding-agent/examples/extensions/sandbox/index.ts

[cjermain]

I ran into the same problem. Here is my solution so far -- using a Docker shim to prevent access to files outside of the working directory.
https://github.com/cjermain/pi-less-yolo

[knocte]

The pragmatic approach is to use Unix permissions type of isolation. For that, skynot might help, see #3176

[ouvreboite]

A possible approach could be to use dev containers for your projects.
As an added bonus, it'll make your dev env easy to reproduce by other devs and you can even quickly spawn a github codespace to work on a remote machine.