I think you basically answered the entire question
1. Our fundamental assumption is: anything that hands control to an agent/skill is potentially compromised (especially if it touches the web / parses docs). So we isolate that work in its own Box with least privilege: minimal mounts (prefer read-only), no ambient secrets, tight CPU/mem limits, and only the network access it actually needs.
2. BoxLite doesn’t try to solve inter-agent “data trust” / prompt-injection by sanitizing content. What it does do is make sure untrusted code can’t hurt the host, and that sensitive local info doesn’t leak (i.e. it reduces blast radius). If you want semantic safety between agents, you still need boundary hygiene patterns (structured outputs, extraction/validation steps, etc.).
No comments yet.