/ /
SafetySandboxing and Human in the loop, so you have peace of mind while agent works

Computer has two complementary safety measures: Human-in-the-loop (HITL) approvals that pause the agent before sensitive actions, and Sandboxing , in desktop app, that locks down what tools can touch when the agent is running. This section covers both.

Human-in-the-loop (HITL)

When Computer is about to run a sensitive tool — one that writes to your filesystem, hits the network, touches a sandboxed resource, or calls an external tool — it can pause and ask you for approval. You'll see:

  • The proposed call (arguments + a short description)

  • A proposed allow-rule

  • Approve or Reject buttons, plus a scope choice: Once (just this call) or Session (for the rest of this chat)

In the tools section under settings, you can enable or disable HITL per tool when you add it to Computer.

If Computer attempts something blocked by sandboxing, you'll also see a sandbox bypass prompt that lists exactly what operation it tried (fs_read, fs_write, network) and on which path or host.

Sandboxing

Sandboxing is Computer's safety layer for tools that touch your machine — reading and writing files, running shell commands, and fetching from the web. When it's on, Computer pauses and asks you before doing anything outside a curated safe list.

This section explains: when sandboxing applies, what it blocks, what it auto-allows, what triggers an approval prompt, and how to customise the rules.

Turning sandboxing on

  1. Open Settings → My Computer → Desktop app.

  2. Find the Sandboxing row.

  3. Toggle it on. The change takes effect for new tool calls in your sessions immediately.

What gets auto-allowed (no prompt)

To keep sandboxing usable in day-to-day work, two things are auto-allowed when the rules don't already match:

Files inside your working folder.

Reading, editing, and writing files that live inside your chat's working folder (or any extra directory you've explicitly added) are allowed without a prompt. This works on both macOS and Windows. It's why Computer can iterate on your project files without nagging you on every edit.

Safe read-only Bash commands.

Bash commands are short text instructions you type into a terminal to tell your machine what to do. It's basically texting your computer instead of clicking through menus.

When the OS sandbox is active, a small curated list of read-only / inspection commands runs without a prompt. The full allowlist:

Category

Commands

Git inspection

git status, git diff, git log, git show, git branch, git remote, git stash list

Filesystem inspection

ls, cat, pwd, head, tail, grep, wc

System info

which, whoami, hostname, date, echo, uname

Version probes

node --version, npm --version, pnpm --version, yarn --version, python --version, python3 --version

These match by prefixgit status -v or ls -la /tmp count. But if the command contains a shell operator that could change its behaviour (&&, ||, ;, &, redirection like >, >>, 2>, command substitution $(...) or backticks, process substitution >(...) or <(...), newlines), the auto-allow does not apply — the prompt fires instead.

What triggers an approval prompt

When sandboxing is on, you'll see a prompt for things like:

  • Reading or editing a file outside your working folder

  • Writing a file outside your working folder

  • Bash commands that aren't in the safe-prefix allowlist above

  • WebFetch to a domain that isn't in your allow rules

The prompt shows:

  • The tool name and the input (the file path, command, or URL)

  • Approve / Reject buttons, plus a scope choice:

    • Once — just this call

    • Session — applies to the rest of this chat (persisted in chat metadata, so it survives reopening the same chat)

Note: on Windows, sandboxing protects you through the approval flow only — the curated safe-Bash auto-allow list (which lets git status, ls, cat etc. run without prompting on macOS / Linux) is not available. When sandboxing is on, every Bash command goes through an approval prompt on Windows. File reads and edits inside your working folder still auto-allow as usual.

Default network and filesystem allowances

When the OS sandbox is on, the network allowlist starts with a curated set of hosts that the model commonly needs during normal agent work, and the filesystem allowlist starts with paths the agent needs to function:

Default allowed network hosts:

  • GitHub: github.com, .github.com, raw.githubusercontent.com, api.github.com, codeload.github.com, objects.githubusercontent.com

  • npm: registry.npmjs.org, .npmjs.org

  • PyPI: pypi.org, .pypi.org, files.pythonhosted.org

  • DevRev: .devrev.ai

Default writable paths:

  • The chat's working folder

  • The agent config directory

  • The OS temp directory (/tmp and the macOS canonical alias /private/tmp)

Was this article helpful?