展示HN：Yolobox – 以完全sudo权限运行AI编码代理，不会破坏家目录

展示HN：Yolobox – 以完全sudo权限运行AI编码代理，不会破坏家目录
Show HN: Yolobox – Run AI coding agents with full sudo without nuking home dir

原始链接: https://github.com/finbarr/yolobox

## yolobox：安全的人工智能编程，具有“YOLO模式” yolobox 允许你释放人工智能编码代理（如 Claude、Codex 和 Gemini）的力量，而无需冒损毁系统的风险。它通过在沙盒容器内运行人工智能来实现这一点，将其与你的主目录和敏感文件隔离。 **工作原理：** 你的项目被挂载到容器内部，赋予人工智能在该空间内的完全权限。但是，除非明确挂载，否则你的主目录将保持受保护。该容器包含必要的 AI CLI 和开发工具，并自动跳过权限提示以实现简化操作。 **主要特点：** * **隔离：** 保护你的主目录免受意外删除（例如 `rm -rf ~`）。 * **完全访问权限（在容器内）：** 人工智能在容器内具有 `sudo` 权限。 * **持久性：** 工具和配置在会话之间保存。 * **定制化：** 配置运行时（Docker/Podman）、镜像、挂载点和环境变量。 * **安全级别：** 提供不断提高的安全级别，从基本的容器化到无 root 的 Podman，甚至虚拟机隔离。 **安装：** 通过 `curl` 或 `git clone` 进行简单的 shell 脚本安装。 **使用方法：** 从你的项目目录运行 `yolobox` 进入沙盒，开始使用人工智能进行编码！

## Yolobox：具有sudo权限的安全AI编码代理 Finbarr分享了Yolobox，这是一种新工具，允许开发者在不危及宿主机的情况下，运行具有完全`sudo`权限的AI编码代理。它通过在Docker容器内运行这些代理来实现这一点，为潜在的风险操作（如安装软件或修改系统配置）提供了一个隔离的环境。最初的公告引发了关于安全性和替代方案的讨论。人们对潜在的容器逃逸漏洞表示担忧，促使作者扩展了README，提供了关于安全模型的更多细节。用户讨论了使用无root的Podman以进一步最小化权限，并分享了像`shai`这样的替代项目，它提供了对文件访问和网络流量更精细的控制。一些评论员指出Yolobox与开发容器 (`devcontainer`) 的相似之处，作者澄清说它是在该概念的基础上构建的，并预配置了编码代理工具。该项目旨在解决在本地机器上授予AI代理完全权限的不安，提供了一种更安全的方式来探索它们的能力。

原文

██╗   ██╗ ██████╗ ██╗      ██████╗ ██████╗  ██████╗ ██╗  ██╗
╚██╗ ██╔╝██╔═══██╗██║     ██╔═══██╗██╔══██╗██╔═══██╗╚██╗██╔╝
 ╚████╔╝ ██║   ██║██║     ██║   ██║██████╔╝██║   ██║ ╚███╔╝
  ╚██╔╝  ██║   ██║██║     ██║   ██║██╔══██╗██║   ██║ ██╔██╗
   ██║   ╚██████╔╝███████╗╚██████╔╝██████╔╝╚██████╔╝██╔╝ ██╗
   ╚═╝    ╚═════╝ ╚══════╝ ╚═════╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝

Let your AI go full send. Your home directory stays home.

Run Claude Code, Codex, or any AI coding agent in "yolo mode" without nuking your home directory.

AI coding agents are incredibly powerful when you let them run commands without asking permission. But one misinterpreted prompt and rm -rf ~ later, you're restoring from backup (yea right, as if you have backups lol).

yolobox runs your AI agent inside a container where:

✅ Your project directory is mounted at /workspace
✅ The agent has full permissions and sudo inside the container
✅ Your home directory is NOT mounted (unless you explicitly opt in)
✅ Persistent volumes keep tools and configs across sessions

The AI can go absolutely wild inside the sandbox. Your actual home directory? Untouchable.

# Install (requires Go)
curl -fsSL https://raw.githubusercontent.com/finbarr/yolobox/master/install.sh | bash

# Or clone and build
git clone https://github.com/finbarr/yolobox.git
cd yolobox
make install

Then from any project:

cd /path/to/your/project
yolobox

You're now in a sandboxed shell. Run claude and let it rip.

The base image comes batteries-included:

AI CLIs: Claude Code, Gemini CLI, OpenAI Codex (all aliased to run in full-auto mode!)
Node.js 22 + npm/yarn/pnpm
Python 3 + pip + venv
Build tools: make, cmake, gcc
Git + GitHub CLI
Common utilities: ripgrep, fd, fzf, jq, vim

Need something else? You have sudo.

Inside yolobox, the AI CLIs are aliased to skip all permission prompts:

Command	Expands to
`claude`	`claude --dangerously-skip-permissions`
`codex`	`codex --dangerously-bypass-approvals-and-sandbox`
`gemini`	`gemini --yolo`

No confirmations, no guardrails—just pure unfiltered AI, the way nature intended.

yolobox                     # Drop into interactive shell
yolobox run <cmd...>        # Run a single command
yolobox run claude          # Run Claude Code in sandbox
yolobox upgrade             # Update binary and pull latest image
yolobox config              # Show resolved configuration
yolobox reset --force       # Delete volumes (fresh start)
yolobox version             # Show version
yolobox help                # Show help

Flag	Description
`--runtime <name>`	Use `docker` or `podman`
`--image <name>`	Custom base image
`--mount <src:dst>`	Extra mount (repeatable)
`--env <KEY=val>`	Set environment variable (repeatable)
`--ssh-agent`	Forward SSH agent socket
`--no-network`	Disable network access
`--readonly-project`	Mount project read-only (outputs go to `/output`)
`--claude-config`	Copy host `~/.claude` config into container

Auto-Forwarded Environment Variables

These are automatically passed into the container if set:

ANTHROPIC_API_KEY
OPENAI_API_KEY
GITHUB_TOKEN / GH_TOKEN
OPENROUTER_API_KEY
GEMINI_API_KEY

Create ~/.config/yolobox/config.toml for global defaults:

runtime = "docker"
image = "ghcr.io/finbarr/yolobox:latest"
ssh_agent = true

Or .yolobox.toml in your project for project-specific settings:

mounts = ["../shared-libs:/libs:ro"]
env = ["DEBUG=1"]
no_network = true

Priority: CLI flags > project config > global config > defaults.

Note: Setting claude_config = true in your config will copy your host's Claude config on every container start, overwriting any changes made inside the container. Use the CLI flag --claude-config for one-time syncs.

macOS: Docker Desktop, OrbStack, or Colima
Linux: Docker or Podman

Memory: Claude Code needs 4GB+ RAM allocated to Docker. Colima defaults to 2GB which will cause OOM kills. Increase with: colima stop && colima start --memory 8

yolobox uses container isolation (Docker or Podman) as its security boundary. When you run yolobox, it:

Starts a container with your project mounted at /workspace
Runs as user yolo with sudo access inside the container
Does NOT mount your home directory (unless explicitly requested)
Uses Linux namespaces to isolate the container's filesystem, process tree, and network

The AI agent has full root access inside the container, but the container's view of the filesystem is restricted to what yolobox explicitly mounts.

The trust boundary is the container runtime (Docker/Podman). This means:

✅ Protection against accidental rm -rf ~ or credential theft
✅ Protection against most filesystem-based attacks
⚠️ NOT protection against container escapes — a sufficiently advanced exploit targeting kernel vulnerabilities could break out
⚠️ NOT protection against a malicious AI deliberately trying to escape — this is defense against accidents, not adversarial attacks

If you're worried about an AI actively trying to escape containment, you need VM-level isolation (see "Hardening Options" below).

What yolobox protects:

Your home directory from accidental deletion
Your SSH keys, credentials, and dotfiles
Other projects on your machine
Host system files and configurations

What yolobox does NOT protect:

Your project directory (it's mounted read-write by default)
Network access (use --no-network to disable)
The container itself (the AI has root via sudo)
Against kernel exploits or container escape vulnerabilities

Level 1: Basic (default)

yolobox  # Standard container isolation

Level 2: Reduced attack surface

yolobox run --no-network --readonly-project claude

Level 3: Rootless Podman (recommended for security-conscious users)

# Install podman and run rootless
yolobox --runtime podman

Rootless Podman runs the container without root privileges on the host, using user namespaces. This significantly reduces the impact of container escapes since the container's "root" maps to your unprivileged user on the host.

Level 4: VM isolation (maximum security)

For true isolation with no shared kernel, consider running yolobox inside a VM:

macOS: Use a Linux VM via UTM, Parallels, or Lima
Linux: Use a Podman machine or dedicated VM

This adds significant overhead but eliminates kernel-level attack surface.

Network Isolation with Podman

For users who want to prevent container access to the local network while preserving internet access:

# Rootless podman uses slirp4netns by default, which provides
# network isolation from the host network
podman run --network=slirp4netns:allow_host_loopback=false ...

yolobox doesn't currently expose this as a flag, but you can achieve it by running rootless Podman (the default network mode for rootless is slirp4netns).

This builds yolobox/base:latest locally.

Because you want to tell your AI agent "just do it" without consequences. YOLO, but in a box.

MIT