Personal AI Agent Security Sandbox for Self-Hosted LLM Workflows
As local LLM usage explodes, people are connecting AI agents to their files, email, and tools with zero isolation. Vitalik Buterin's widely-shared April 2026 post documented that 15% of AI agent skills contain malicious instructions. Users want a lightweight sandbox layer between their local LLM and the actions it can take, with human-in-the-loop approval for anything destructive.
Don't try to build Firecracker. Build the permission layer ABOVE the LLM runtime. A daemon that intercepts tool calls (file writes, network requests, message sends) and requires human approval above configurable thresholds. Vitalik's '$100/day spend cap' pattern is the design target. Ship as a Docker sidecar to Ollama/OpenWebUI.
landscape (3 existing solutions)
All existing sandbox tools target enterprise or cloud-scale AI deployments. Nothing exists as a lightweight, self-hosted 'permission layer' that sits between a local LLM (Ollama, llama.cpp) and the user's files/tools, implementing Vitalik's 'human + LLM 2-of-2' approval model. The gap is in the consumer/prosumer tier.