Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Robust security against agent actions going haywire can be achieved via command runners like just or make. These tools provide everything that MCP does - command specifications, descriptions, arguments. Agents allow you to specify what command prefixes can be invoked without approval - put your agent commands in a justfile, and only auto-allow shell commands prefixed with just.

Shell scripting isn't easily sandboxed like that, just by checking a string to see if it beings with "just". If you want security you need to run commands inside an actual sandbox, and get data in/out of the sandbox in a well thought manner. See how browsers manage to run untrusted Javascript and wasm from actual malicious sites, and do exactly the same.

In this sense, MCP is much better than running commands in the local machine because all MCP does is an HTTP request. I don't need to run a MCP server that runs LLM-provided commands in my local machine, like, at all.



I didn't get how limiting the agent to running just scripts from a justfile limits what the agent can run in any way. Because what's stopping the agent from editing the justfile to add whatever it wants to run?


Indeed, there's a very large number of things an agent can do to workaround those restrictions (for example, maybe you make it so justfile is off limits, but what about .env? what about ~/.bashrc?). Running commands in your dev machine is dangerous and AI agents should never have this kind of unsandboxed access




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: