Zerobox: Lightweight, Cross-Platform Process Sandboxing

Source: GitHub | Author: Afshin Mehrabani | Published: ~2026-03-30 Category: product-announcement | Credibility: medium

Executive Summary

• Zerobox is a Rust-based CLI and TypeScript SDK for sandboxing arbitrary processes with deny-by-default file, network, and environment controls. It claims ~10ms startup overhead, no Docker/VMs required, and cross-platform support (macOS via Seatbelt, Linux via Landlock/seccomp/Bubblewrap).
• The tool is explicitly derived from OpenAI Codex’s sandbox crates, repackaged as a standalone utility. Its most novel feature is a credential injection proxy that replaces placeholder secrets with real values only for whitelisted outbound hosts, preventing sandboxed code from ever seeing actual API keys.
• The project is very early-stage: 303 stars, 117 commits, 12 forks, MIT-licensed, single maintainer. Community reception on Hacker News (90 upvotes, 128 comments) was cautiously positive, with the strongest criticism directed at insufficient security documentation and macOS network filtering relying on proxy environment variables rather than kernel enforcement.

Critical Analysis

Claim: “~10ms overhead per invocation”

• Evidence quality: anecdotal
• Assessment: One Hacker News commenter reported ~10ms on Apple M5, which is plausible for Seatbelt profile loading on macOS and Bubblewrap spawning on Linux. However, there are no published benchmarks, no methodology described, and no comparison against a baseline. The claim is reasonable for process setup overhead but has not been independently validated. The number likely excludes the proxy startup time for credential injection, which adds its own latency.
• Counter-argument: The 10ms figure may be misleading for real-world use. If the sandbox wraps a short-lived process (e.g., a quick script), 10ms is significant. If it wraps a long-running agent session, it is negligible. The metric matters less than the security guarantees, which are not quantified.
• References:
  • Hacker News discussion — Show HN: Zerobox
  • Daytona claims sub-90ms sandbox creation

Claim: “Deny-by-default security — no Docker or VMs required”

• Evidence quality: case-study (derived from OpenAI Codex codebase)
• Assessment: This is accurate. Zerobox reuses the sandboxing primitives from OpenAI’s Codex CLI: Seatbelt on macOS, Bubblewrap + seccomp + Landlock on Linux. These are well-understood OS-level mechanisms. The key advantage over container-based solutions is zero infrastructure dependency; the key disadvantage is that the isolation boundary is weaker than a VM or container. On macOS specifically, the Seatbelt sandbox-exec API is officially deprecated by Apple, though Apple continues to use it internally. On Linux, Landlock requires kernel 5.13+ (filesystem) and 6.4+ (network), limiting compatibility on older distributions.
• Counter-argument: “No Docker required” is a double-edged sword. Docker/VM-based sandboxes (E2B, Leash) provide stronger isolation boundaries — process-level sandboxing via Landlock/seccomp is susceptible to kernel exploits. For running truly untrusted code, a microVM provides a harder boundary. Zerobox is better positioned for “semi-trusted” code with guardrails, not adversarial containment.
• References:
  • OpenAI Codex security documentation — sandboxing implementation
  • Deep dive on agent sandboxes — Pierce Freeman
  • Landlock kernel documentation

Claim: “Credential injection via proxy — sandboxed process never sees real API keys”

• Evidence quality: anecdotal (author demonstration, HN discussion)
• Assessment: This is the most novel and genuinely useful feature. The architecture spawns a local HTTP proxy, injects placeholder values into the sandboxed environment, and only substitutes real credentials when the outbound request targets a whitelisted host. This prevents exfiltration of secrets even if the sandboxed code is compromised. Hacker News commenters called this a “genuinely great idea.” However, the mechanism depends on programs respecting proxy environment variables (HTTP_PROXY/HTTPS_PROXY). Programs that bypass proxies, use custom TLS stacks, or make direct socket connections will circumvent this protection entirely.
• Counter-argument: The proxy-based approach is fundamentally best-effort on macOS because network filtering depends on application cooperation, not kernel enforcement. On Linux, Landlock 6.4+ can enforce network restrictions at the kernel level, but the credential injection still depends on the proxy being used. A determined attacker in the sandbox could bypass this. For production use with adversarial threat models, this is insufficient.
• References:
  • Hacker News discussion — credential injection pattern
  • macOS Seatbelt sandboxing — deprecated but still used

Claim: “Cross-platform: macOS and Linux supported”

• Evidence quality: vendor-sponsored (README documentation)
• Assessment: Technically true, but the security properties differ dramatically between platforms. On Linux, the combination of Landlock + seccomp + Bubblewrap provides genuine kernel-level enforcement of file and network restrictions. On macOS, Seatbelt provides file system sandboxing but network filtering falls back to proxy environment variables, which is advisory rather than enforced. Windows is listed as “planned” with no timeline. The cross-platform claim is accurate but the security parity claim would be misleading.
• Counter-argument: Users who evaluate Zerobox on macOS (where many developers work) may develop false confidence about security properties that do not fully transfer. The README should more prominently document the platform-specific differences in enforcement strength.
• References:
  • OpenAI Codex CLI — platform-specific sandbox differences
  • Sandboxing on macOS — Mark Rowe

Credibility Assessment

• Author background: Afshin Mehrabani is a software engineer at Microsoft, previously at Etsy. Creator of IntroJS (28k+ GitHub stars), author of books on IntroJS and MongoDB. Contributor to Semantic Kernel (Microsoft’s AI SDK). He has a strong open-source track record but no prior security-focused projects. He works on Copilot-related projects at Microsoft, which gives relevant context for AI agent tooling but does not establish security credentials.
• Publication bias: This is a personal open-source project, not a vendor product. The README contains marketing-style claims (“lightweight”, “~10ms”) but no monetization angle. The author was transparent in HN comments about limitations (macOS proxy limitation, need for better docs). The project derives from OpenAI’s open-source Codex sandbox crates, which lends some credibility to the underlying mechanisms.
• Verdict: medium — The author is credible and transparent, the underlying technology (Codex sandbox crates) is battle-tested, but the project itself is very early-stage with no independent security audit, no formal benchmarks, and important platform-specific caveats that are under-documented.

Entities Extracted

Entity	Type	Catalog Entry
Zerobox	open-source	link
Leash by StrongDM	open-source	link