cover

2026-06-10

What is a code execution tool (sandbox)?

A code execution tool, or sandbox, is a controlled runtime that lets an AI agent run code safely without giving it full access to your systems.

Why it matters

LLMs are good at writing code, but they cannot reliably verify code by thought alone. A sandbox lets an agent:

run generated code
check outputs
inspect errors
iterate on fixes

You’d reach for it when the task needs computation, file manipulation, data transformation, or testing. In practice, teams use sandboxes when “just answer in text” is too brittle and they want the model to execute and validate its own work.

How it works

A sandbox is usually a restricted process, container, VM, or managed execution environment that limits what the code can do.

Typical controls include:

Isolation
The code runs away from the host system and other workloads.
Resource limits
CPU, memory, time, and sometimes disk are capped to reduce abuse or accidental runaway jobs.
Permission boundaries
The environment may block network access, restrict filesystem access, or expose only specific files and tools.
Return channel
The system sends back stdout, stderr, exit codes, files, or structured results so the agent can inspect what happened.

For agents, the sandbox is often part of the tool loop: the model writes code, runs it, reads the result, and then revises the code if needed.

Tiny concrete example

An agent is asked: “Compute the sum of all CSV values in sales.csv.”

It might generate and run something like:

import csv

total = 0
with open("sales.csv", newline="") as f:
    for row in csv.DictReader(f):
        total += float(row["amount"])

print(total)

The sandbox executes the script, returns the printed total, and the agent uses that result in its final answer.

Common pitfalls / when NOT to use it

Treating it as perfectly safe
A sandbox reduces risk; it does not eliminate it. Badly configured environments can still leak data or allow harmful behavior.
Giving more access than needed
If the task only needs arithmetic, do not mount the whole filesystem or enable network access.
Using it for untrusted code without defense in depth
Strong sandboxing often needs multiple layers: isolation, least privilege, monitoring, and tight resource limits.
Expecting it to fix bad code logic
The sandbox helps run and observe code. It does not make incorrect code correct.
Using it when a simpler tool is enough
For pure retrieval, text generation, or straightforward API calls, a sandbox may be unnecessary overhead.

Related terms

同じ著者の記事

What is chunking (and semantic chunking)?

What is chunking (and semantic chunking)?

Chunking is the practice of splitting a larger piece of text or data into smaller pieces so a system can process, store, or retrieve it more effectively; semantic chunking does the same thing, but tries to cut at meaningful boundaries instead of by fixed length. Chunking is a core technique in retrieval-augmented generation (RAG), document search, summarization, and any workflow that needs to feed long content into an LLM. Why teams use it: LLMs have context limits, so very large documents must

What is semantic search?

What is semantic search?

Semantic search is a way to find information by meaning, not just by matching the exact words you typed. Traditional keyword search is good when you know the exact term to look for. Semantic search helps when users phrase the same idea in different words, use synonyms, or ask a question instead of naming a document. You’d reach for it when: search queries are messy or conversational, exact wording varies a lot across documents, you want to retrieve “about the same thing” rather than “contains th

What is an embedding?

What is an embedding?

An embedding is a vector embedding: a list of numbers that represents something—like a word, sentence, image, or user—in a way a model can compare mathematically. Embeddings turn messy, human data into a form machines can use for: Similarity search: “Find documents like this one.” Recommendations: “Show items close to what the user liked.” Clustering and classification: “Group related things together.” Retrieval for LLMs: “Fetch the most relevant context before generating an

What is a vector database?

What is a vector database?

A vector database, also called a vector store, is a system for storing and searching data by its numerical embeddings so you can find items that are “most similar” rather than exactly matching text or IDs. Regular databases are great when you know the exact thing you want: a user ID, a product SKU, a timestamp range. But many AI features need semantic search or nearest-neighbor retrieval: “find questions like this one,” “retrieve passages relevant to this prompt,” or “recommend items

What is retrieval-augmented generation (RAG)?

What is retrieval-augmented generation (RAG)?

Retrieval-augmented generation, or RAG, is a way to make a language model answer questions using relevant external documents it retrieves first, instead of relying only on what it memorized during training. RAG helps when you want answers that are: grounded in your own content, such as docs, policies, tickets, or product knowledge easier to update than retraining a model more likely to mention current or proprietary information In practice, teams reach for RAG when a model needs to answer “what

What is tool use in AI agents?

What is tool use in AI agents?

Tool use in AI agents is when an LLM-based agent can call external functions, APIs, or programs—often called a tool calling agent—to get information or take actions it cannot do reliably from text alone. A plain language model is good at generating text, but it does not reliably know live facts, cannot directly query a database, and should not guess at actions like sending email or creating tickets. Tool use solves that by letting the model delegate specific steps to purpose-built systems. Y

What is the agent loop (perceive-plan-act)?

What is the agent loop (perceive-plan-act)?

The agent loop, also called the perceive-plan-act loop, is the repeated cycle where an AI agent observes its situation, decides what to do next, and then takes an action. This is the basic control pattern behind many agentic systems. Instead of asking a model for one one-off answer, you let it keep checking the world, updating its plan, and acting until the task is done or it should stop. You reach for it when the task is dynamic, multi-step, or depends on intermediate results: calling tools, br

What is a ReAct agent?

What is a ReAct agent?

A ReAct agent is an LLM-driven system that alternates between reasoning and acting—often called reason + act or ReAct prompting—so it can decide what to do next, use tools, and update its plan from the results. ReAct is useful when a model should not just produce an answer, but also take steps in the world: search a document set, call an API, inspect a database, or ask for more information. In practice, teams reach for it when: a plain chat completion is too static, the task

What is an agentic workflow?

What is an agentic workflow?

An agentic workflow is a workflow where an AI system can decide and take multi-step actions toward a goal, instead of only producing a one-shot answer; you may also hear this called an agentic system. Use an agentic workflow when the task is not just “generate text,” but “figure out what to do next.” That includes tasks like investigating an issue, pulling together information from multiple tools, retrying after failure, or following conditional branches based on intermediate results

What is an AI agent?

What is an AI agent?

An AI agent, also called an LLM agent or autonomous agent, is a system that can pursue a goal by deciding what to do next, taking actions, and using the results to keep going. Most AI systems just answer a prompt once. An agent is useful when one answer is not enough and the system needs to act over multiple steps: search, call tools, inspect results, retry, and stop when the goal is met. You’d reach for an agent when the task is: open-ended, not a single fixed response dependent on external