Skip to main content
Podflare sandboxes boot without a network interface. Your sandbox code cannot open a socket, call an external API, or download a package from the internet — regardless of what the code says. This is intentional: it prevents LLM-authored code from exfiltrating data, calling external services, or pulling malicious packages, even if the model writes code that tries to do so.

Why no network by default

Agent code is written by an LLM and can be influenced by prompt injection. Three risks that require outbound network access:
  • Data exfiltration — code that sends your files to an attacker’s server
  • Cryptomining — code that connects to a mining pool and consumes your compute
  • Supply-chain attackspip install of a hallucinated package name that runs malicious code on install
With no network interface in the VM, none of these work. Podflare sandboxes are air-gapped from the internet by construction.

How to get data in and out

Use these two patterns to move data between your agent and the sandbox:

upload() / download()

Push files into the sandbox before running code; pull result files back out afterward.

run_code stdout

Run computation inside the sandbox and read the output through the return value’s stdout field.
Your agent process has full network access. The sandbox does not. Keep network calls in your agent code, then push the results into the sandbox via upload(): 
import httpx
import json
from podflare import Sandbox

# Your agent calls the external API (has network access)
weather = httpx.get("https://api.weather.com/current?city=sf").json()

with Sandbox() as s:
    # Push the fetched data into the sandbox as a file
    s.upload(json.dumps(weather).encode(), "/tmp/weather.json")

    # Run analysis inside the sandbox
    r = s.run_code("""
        import json
        data = json.load(open('/tmp/weather.json'))
        print(f"Temperature: {data['temp']}°F, Condition: {data['condition']}")
    """)
    print(r.stdout)
This pattern keeps secrets and credentials in your agent code, never inside the sandbox where LLM-generated code could access them.

Planned: allowlisted egress

For workloads that genuinely need outbound access from inside the sandbox — such as pip install or calling a specific API — Podflare will add allowlisted egress. You’ll be able to specify a list of allowed domains when creating a sandbox: 
# Coming in a future release
with Sandbox(egress_allow=["api.openai.com", "pypi.org"]) as s:
    s.run_code("!pip install requests")
    s.run_code("import requests; r = requests.get('https://api.openai.com/...')")
All other outbound connections will be blocked at the proxy level. This feature is not yet available.
Until allowlisted egress ships, upload() and download() are the only way to move data between the internet and a sandbox.

Sandboxes

Isolation guarantees and what the microVM boundary means

Python REPL

Run computation inside the sandbox and stream results out