Your Agent Has Root. Your Laptop Has Everything.
In December 2025, a developer named Mike Wolak watched Claude Code execute rm -rf tests/ patches/ plan/ ~/ on his Mac. The trailing slash turned ~ into his home directory. Years of projects, code, and personal files vanished in seconds. The agent's response: "Oops, looks like I deleted your home directory."
In April 2026, a Cursor agent running Claude Opus 4.6 deleted PocketOS's entire production database — and all volume-level backups — in nine seconds. The founder watched it happen in real time. When he asked the agent why, it replied: "I violated every principle I was given."
These aren't edge cases. They're the predictable outcome of giving an autonomous agent full filesystem access on the machine where you keep everything.
The Problem: Your Agent Runs As You
AI coding agents are incredible productivity tools. They read your codebase, write code, run shell commands, install packages, and make decisions in chains that don't require your approval at every step. That's the whole point — you set a task, and the agent works.
But here's what nobody talks about: that agent is running as you. It has your filesystem permissions. It has your credentials. It has access to your SSH keys, your API tokens, your environment variables, and your production configs. There is nothing between the model's decision and the shell's execution.
When you run claude code --dangerously-skip-permissions (and most power users do, because the permission prompts are unbearable), you've given an AI system unrestricted access to everything you own on that machine. The rm -rf incident isn't a bug — it's a fundamental architectural flaw.
Why Local Docker Isn't Enough
The common advice is "just use Docker." And Docker Sandboxes — Docker's new microVM-based sandboxing product — is a genuine improvement. Each sandbox gets its own filesystem, its own Docker daemon, its own network. The agent can do whatever it wants inside the sandbox without touching your host.
But Docker Sandboxes still run on your laptop. That means:
- Your laptop has to stay on. If you close your laptop, the agent stops. Want to run an overnight build? Your machine is committed for the night.
- Your laptop is the runtime. If the agent pegs all your cores, your machine is unusable. Run 10 agents in parallel? Good luck.
- You have to install something. Docker Sandboxes requires the
sbxCLI. It's lighter than Docker Desktop, sure, but it's still setup. - The cleanup is on you. When the agent's done, you have a sandbox sitting on your machine consuming resources until you clean it up.
Docker moves the blast radius from "your entire filesystem" to "a sandbox on your machine." That's better. But it's not the same as moving the blast radius to the cloud.
What Walk-Away Compute Looks Like
Here's what should be possible:
- You open a web page.
- You pick an agent — Claude Code, Codex, Cursor, any of them.
- A cloud machine boots in seconds with the agent already installed and running.
- You give it your task. Full root. Auto-approve. Let it cook.
- You close the tab.
- The agent keeps working. Your laptop is free. You go get coffee, go to sleep, go to a meeting.
- You come back. Results are there.
- You pay for the seconds it ran — about 3¢ for a 10-minute task.
- You nuke the box. Everything is wiped. Nothing logged, nothing saved.
This is what zipbox.ai does. It's a browser-native cloud platform that boots AI coding agents on disposable Firecracker microVMs. No install, no API key, no SDK, no subscription. You pay per second while the box runs, and $0 while it's paused.
The key insight isn't just "isolation" — Docker does isolation. The insight is walk-away compute: the agent runs in the cloud, not on your machine, so you can literally close the tab and it keeps working. Your laptop is free. The blast radius is zero — not because it's contained, but because it's somewhere else entirely.
Hardware Isolation, Not Just Containers
Each zipbox sandbox is a Firecracker microVM — the same technology AWS uses for Lambda. That means:
- Dedicated guest kernel. Not a shared kernel like Docker containers. The agent can't escape to your host through a kernel vulnerability.
- Hardware-level isolation. KVM virtualization. The agent has its own network, its own filesystem, its own process tree.
- Pre-warmed. The VM is already running before you ask for it. Snapshot restore means no cold-start penalty — you're in a terminal in seconds.
This matters because AI coding agents execute untrusted code. They run whatever the model generates, including commands that may attempt privilege escalation, network access to sensitive endpoints, or filesystem manipulation. A shared-kernel container can be escaped. A dedicated-kernel microVM cannot — at least not through any known container escape.
Disposable By Default
The zipbox mental model is simple: spin up, run, nuke, repeat.
Every sandbox is disposable. When you're done, you delete it. Disk, memory, network — all wiped. Nothing is logged. Nothing is mined. Nothing is used for training. The box exists for exactly as long as you need it and then it's gone.
This changes how you work with agents:
- Try things without consequence. Want to see if an agent can handle a task? Spin up a box, let it try, nuke it if it fails. No cleanup. No state pollution. No accumulated cruft.
- Run 10 experiments in parallel. Ten boxes, ten agents, ten branches. Each fully isolated. When they're done, delete all ten. Total cost for an hour of 10 agents: about $1.
- Let the agent go all-out. Full root, auto-approve,
rm -rfwhatever it wants — it's a disposable box. The worst that can happen is you delete it and start over. Your laptop is never at risk.
The Economics: Cents, Not Subscriptions
Most cloud dev tools cost $10-50/month minimum. Codespaces starts at $10/month. E2B charges per-vCPU-hour plus a subscription. Docker is free locally but costs you your laptop's resources.
zipbox costs $0.014 to $0.116 per hour, depending on the VM size, billed per second. A 10-minute task costs about 3 cents. An overnight build costs less than a dollar. While paused: $0.
No subscription. No card to start. Free credit on signup. Credits never expire.
This unlocks a category of use that subscription-model platforms can't serve: the "let me just try this real quick" use case. Spin up a box for 5 minutes, test something, nuke it. Total cost: 1 cent. No commitment, no cleanup, no risk.
Stop Running Agents On Your Laptop
The rm -rf ~/ incident happened because an agent had unrestricted access to the filesystem where a developer kept everything. The PocketOS database was deleted because an agent had production credentials.
These aren't flukes. They're the inevitable outcome of giving autonomous systems full access to the machine where your life lives. The solution isn't better prompting or more careful agents — it's architectural. Move the agent to a disposable, isolated, cloud environment. Let it run wild. Let it rm -rf all it wants. Then nuke the box and walk away.
Your agent has root. Your laptop has everything. Those two facts shouldn't coexist.
Free credit, no card, no install. Pick an agent and full send.
Try zipbox.ai →