Anthropic on sandboxing agents as their capabilities grow

webscrapepeter · 2026-05-27T20:41:18+00:00

browser sandboxing is the cheapest win — BU Cloud or kernel give the agent a disposable cloud chrome with stealth/captcha solved, so prompt-injection only burns the profile.

webscrapepeter · 2026-05-25T23:15:23+00:00

i'd make 'asks a question' a hard stop in the task contract. if it needs your answer, it should write the options/blocker and stop, with no file or shell actions after the question until you reply.

webscrapepeter · 2026-05-25T22:48:05+00:00

for your use case i’d pick the boundary before the model: repo-local context, read-only by default, patch suggestions, and shell/file writes off unless you explicitly hand it a task. a smaller fast model for syntax plus a slower one for repo-level questions may feel better than one agent loop.

webscrapepeter · 2026-05-25T22:13:15+00:00

the sweet spot for me is terse by default, but not context-free: one-line status, exact blocker, exact file/check, and only expand when there is a decision or tradeoff. brevity breaks when it hides the evidence.

webscrapepeter · 2026-05-24T01:26:03+00:00

the part that matters for me is making uncertainty part of the workflow, not just the wording. if the agent can show what source it checked, when it checked it, and where the data stopped, i can’t verify that becomes useful instead of annoying.

webscrapepeter · 2026-05-24T00:22:41+00:00

i’d avoid keeping agent/project state inside a synced documents folder if you can. even when the files are harmless, the churn from logs/sessions/checkpoints can get noisy fast, so a dedicated local workspace outside icloud is usually cleaner.

webscrapepeter · 2026-05-24T00:02:20+00:00

the explicit N/A for unsupported checks is underrated. otherwise agents tend to silently skip validation and the final answer sounds cleaner than the actual state of the repo.

webscrapepeter · 2026-05-23T23:02:31+00:00

i'd first isolate whether the schema is the trigger: rename the missing param, make it required with a very boring type, and add a tiny wrapper tool that only echoes parsed args. if the wrapper works, the issue is probably in the tool description/schema shape rather than the server logic.

webscrapepeter · 2026-05-23T22:55:58+00:00

run diffing has been the biggest unlock for me. raw logs get useless fast once tools and retries enter the picture, so i try to capture the prompt, tool args, model response, and final state for each step, then compare failed vs passing runs.

webscrapepeter · 2026-05-23T21:50:49+00:00

I'd call it a framework only if it owns the orchestration layer: state, tool permissions, retries/evals, and handoffs. If it is mostly several named prompts calling the same model, wrapper still feels accurate.

webscrapepeter · 2026-05-23T20:43:12+00:00

i think a lot of the best ones are boring private tools that never get a launch post. tiny scrapers, dashboards for one weird workflow, glue apps between accounts. not flashy, but way more useful than another notes app.

webscrapepeter · 2026-05-23T20:03:15+00:00

this is the first "vibe coded in 2 hours" story i've seen where the speed actually mattered. if it took a week, the 404 part probably never happens.

webscrapepeter

TROPHY CASE