Full access to do the work.
The agent drives a real browser, fills forms, clicks through flows, and reads real pages. Nothing is mocked. The work happens for real, inside the box.
AI agent sandboxDisposable. Isolated.
A sandbox for AI agents.Contained on close.
An AI agent sandbox isolates the agent from your machine, your credentials, and your cookies. The agent gets full access inside the sandbox. It gets zero access to your real stack. One click to start. One click to destroy. Nothing persists.
- Zero machine access
- No persistent cookies
- Burn on close
BoundaryAgent vs you
InsideAgent
Full access
Real browser. Real pages. Real work.
OutsideYou
Zero access
Your machine, credentials, cookies. Sealed.
One boundary decides the blast radius.
What a sandbox is.
Why it matters.
A sandbox is an isolated environment. The agent runs with full access inside it and no path out. Your machine, your credentials, and your cookies stay outside the boundary.
Isolation matters because agents read untrusted pages. A single poisoned page can rewrite an agent's instructions. That is prompt injection. Run the agent on your laptop and a hijacked agent inherits your sessions and your filesystem.
Run it in a sandbox and the same hijack reaches an empty, isolated session instead. The sandbox is the boundary that decides the blast radius. For the broader threat model, read how Legba isolates AI agents.
The isolation
guarantees.
Full access inside. Zero access outside. Stated plainly, because the boundary is the whole product.
Zero access to your machine.
Your filesystem, your local credentials, and your environment stay out of reach. A hijacked agent finds an empty, isolated session, not your laptop.
No cookies in. No session out.
Every run spawns fresh, with no persistent cookies and no carried-over login. There is no session for an injected prompt to steal.
Burn on close.
Click destroy and the session is gone. No residue, no snapshot left running, no trail back to you. The next run starts clean.
Three steps.
No setup to wire up.
No CLI. No Docker. No API keys. The sandbox spawns clean and is destroyed on close.
Spawn the sandbox.
One click starts an isolated cloud session. No CLI, no Docker, no API keys to wire up. The agent template is pre-configured and ready to run.
Run the agent.
The agent works inside the sandbox with full access to a real browser. It reads real sites, fills real forms, and stays sealed off from your machine the whole time.
Destroy on close.
One click destroys the session. Cookies, state, and the browser are gone on close. Nothing persists into the next run, and nothing reaches back to your stack.
Go deeper → Read how to run Claude computer use safely or the full OpenClaw sandbox.
What to run inside it.
Let a coding agent run, not your shell.
Run an autonomous coding agent against a task without handing it your local filesystem or live credentials. The agent works in the isolated session. A bad command or a poisoned dependency stays in the box.
Give computer-use agents a real browser, contained.
Computer-use agents click, type, and navigate like a person. Run them in the sandbox so a prompt-injected agent drives an isolated session instead of your real one. OpenClaw is live now.
Scrape real sites without exposing your stack.
Scraping reads untrusted pages, which is exactly where injection hides. Run it in a disposable sandbox on a real browser, then destroy the session on close. No cookies carried in, no trail left behind.
Infrastructure,
then containment.
Browser infrastructure for agents, like Browserbase, Steel, or Anchor, focuses on scale and reliability. Legba focuses on containment. Different jobs. Teams often need both.
Dimension
Browser infrastructure
Legba sandbox
Primary job
Infrastructure: Scale and reliability for agent browsing
Legba: Containment of the agent itself
What you provision
Infrastructure: Browser sessions at volume, behind an API
Legba: A disposable, isolated sandbox per run
Isolation from your machine
Infrastructure: Varies by setup and configuration
Legba: Sealed by default: no machine, no local credentials
Persistence between runs
Infrastructure: Often configurable for reuse
Legba: None. Fresh spawn, destroyed on close
Setup
Infrastructure: SDK, keys, and integration work
Legba: One click to start, one click to destroy
Best paired with
Infrastructure: High-volume, repeatable agent traffic
Legba: Risky runs that need a blast-radius boundary
If you run high-volume agent traffic, browser infrastructure earns its place. If a run touches real sites and could be hijacked, it needs a blast-radius boundary too. The OpenClaw sandbox is where that boundary lives.
Start at $0.
OpenClaw is $0 to start. The Pro plan is $50 a month for builders who run agents every day, with concurrent sessions and longer session limits. Pricing covers the sandbox itself, not a separate browser-infrastructure bill.
Sandbox
questions.
An AI agent sandbox is an isolated environment where an agent runs with no path to your real machine, credentials, or cookies. The agent gets full access inside the sandbox. It gets zero access outside it. If the agent is hijacked or prompt-injected, the damage stays inside the box. When the work is done, the sandbox is destroyed. Nothing persists.
Related surfaces
The sandbox is one Legba surface, not a standalone tool.
The AI agent sandbox runs on the same containment model as the rest of Legba. Use the related pages to evaluate the agent surface, the safe-run guide, and how Legba isolates agents.
Agent surface01
Run agents in the OpenClaw sandbox
Launch OpenClaw in one click, see live templates, and read the pricing. SWE-Agent and OpenHands are coming next.
ExploreGuide02
Run Claude computer use safely
The sibling guide on containing a computer-use agent: what to isolate, what to inspect, and how to keep a hijack inside the box.
ExploreIsolation03
How Legba isolates AI agents
The broader case for keeping agents off your stack: prompt injection, blast radius, and a real browser that leaves no trail.
Explore