sub-agent-sandboxing
Use when delegated work needs runtime guardrails — constrain sub-agents with loop detection, circuit breakers, and escalating sandbox levels before accepting their output
Best use case
sub-agent-sandboxing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when delegated work needs runtime guardrails — constrain sub-agents with loop detection, circuit breakers, and escalating sandbox levels before accepting their output
Teams using sub-agent-sandboxing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sub-agent-sandboxing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sub-agent-sandboxing Compares
| Feature / Agent | sub-agent-sandboxing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when delegated work needs runtime guardrails — constrain sub-agents with loop detection, circuit breakers, and escalating sandbox levels before accepting their output
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Sub-Agent Sandboxing Sub-Agent Sandboxing protects the main workflow from delegated tasks that spiral, retry indefinitely, or make changes in the wrong environment. It complements file-scope controls by adding runtime guardrails around how a sub-agent is allowed to execute. ## Why This is Copilot-Exclusive This pattern depends on Copilot CLI's delegated-agent workflow: separate `task()` execution lanes, background lifecycle management, approval checkpoints, and the ability to route risky work into a different checkout or environment before merging it back. ## When to Use - A delegated task could loop on the same tool call or retry path - The agent may need multiple execution environments as risk increases - Generated output must be validated before it can touch the main working tree - A failing sub-agent should cool down without blocking the entire orchestrator ## When NOT to Use | Instead of sub-agent-sandboxing | Use | |---------------------------------|-----| | You only need a narrow writable path | `scope-guard` | | You are designing tasks and contracts before execution starts | `agentic-engineering` | | The task is read-only research | normal delegation or `fleet-parallel` | ## The Three Guardrails ### 1. Loop Detection Track repetition at the orchestrator boundary, not inside the agent prompt. | Signal | Threshold | Response | |--------|-----------|----------| | Same tool + same arguments repeats | 3 times in a short window | Warn and inspect the prompt | | Same tool + same arguments repeats | 5 times in a short window | Stop the sub-agent and escalate | | Same tool appears regardless of args | 30 total calls | Treat as suspicious | | Same tool appears regardless of args | 50 total calls | Hard-stop the run | The exact window can vary by workflow. The important part is having a warning threshold and a hard stop threshold before retries become invisible token burn. ### 2. LLM Circuit Breaker Do not let a failing lane hammer the same provider indefinitely. | Trigger | Threshold | Response | |--------|-----------|----------| | Timeout / empty result / validation failure cluster | 5 failures within 60 seconds | Open the breaker for that lane | | Breaker re-entry after cooldown | 1 probe call | Close only if the probe succeeds | | Repeated open states | 2+ cycles | Escalate to a human or reroute once | Use a single bounded reroute only when the task is idempotent and policy allows a different model or provider lane. Otherwise, keep the breaker open and surface the blocker. ### 3. Sandbox Escalation Increase isolation as risk increases: | Level | Environment | Use for | |------|-------------|---------| | **L1 Local** | Current checkout with strict validation | Small, low-risk delegated edits | | **L2 Container** | Disposable Docker/devcontainer environment | Tooling drift, dependency installs, risky generation | | **L3 Remote sandbox** | Provisioned Kubernetes or equivalent isolated runtime | Untrusted tasks, high side-effect risk, destructive experiments | If the safer environment is not available, stop and report that limitation rather than silently downgrading the isolation level. ## Workflow ### 1. Classify the delegated task Before dispatch, write down: - expected files or outputs - validation step - maximum acceptable side effects - fallback if the run is stopped ### 2. Arm the guardrails State the thresholds in the brief: ```text Loop policy: - warn after 3 repeated identical tool calls - stop after 5 - stop if one tool exceeds 50 calls total Circuit breaker: - open after 5 failed attempts in 60 seconds - allow one probe after cooldown, otherwise keep the lane blocked ``` ### 3. Choose the minimum safe sandbox Use the lightest level that still makes rollback easy. If the task can damage the current checkout, move it to a worktree or higher-isolation environment first. ### 4. Validate before accepting output Even successful sandboxed runs are only candidates. Review: - touched files - dependency changes - test/build result - schema or format constraints - secrets or credential leaks in logs ### 5. Escalate cleanly When the guardrail trips, return a useful blocker: ```text BLOCKER: sub-agent stopped by loop detection after repeated identical tool calls. Last safe state: sandbox output preserved in worktree X. Next action: rewrite the brief or switch to a higher-isolation lane. ``` ## Relationship to Other Skills - `scope-guard` limits **where** edits may happen - `sub-agent-sandboxing` limits **how** delegated execution behaves over time - `agentic-engineering` defines the task contract before dispatch - `using-git-worktrees` provides one practical isolation lane for L2/L3 style containment ## Verification Checklist - [ ] Repetition thresholds are defined before the task starts - [ ] Breaker policy says when to stop retrying - [ ] Sandbox level matches the real blast radius - [ ] Output is validated before merge or apply - [ ] The failure path reports a blocker instead of silently retrying forever ## Tips - Start with worktree isolation before reaching for heavier infrastructure - Preserve the sandbox output so a stopped run is inspectable - Separate "tool repeated because it is working" from "tool repeated because the agent is stuck" - If one lane is unstable, keep the rest of the orchestration moving while that lane cools down ## See Also - [`scope-guard`](../scope-guard/SKILL.md) — constrain writable scope - [`agentic-engineering`](../agentic-engineering/SKILL.md) — define explicit delegated task contracts - [`fleet-parallel`](../fleet-parallel/SKILL.md) — coordinate multiple delegated lanes safely - [`using-git-worktrees`](../../workflow/using-git-worktrees/SKILL.md) — isolate risky work in a separate checkout - [`orchestration/patterns/sub-agent-sandboxing`](../../../orchestration/patterns/sub-agent-sandboxing.md) — deeper orchestration pattern reference
Related Skills
verification-before-completion
Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.
using-git-worktrees
Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly
triage
Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.
to-issues
Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice
sprint-workflow
Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.
sprint-retro
Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.
security-audit
Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.
release
Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.
prompt-optimizer
Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.
outside-voice
Use when you need an independent second opinion before, during, or after implementation — run challenge, consult, or review mode in a direct builder-to-builder voice
llm-wiki
Use when research or domain knowledge keeps getting rediscovered across sessions — build a supplementary markdown wiki that compounds synthesized knowledge without replacing GitHub or committed project guidance
interview-me
Use when a request is underspecified and you need to discover what the user actually wants before writing a plan, spec, or code - ask one question at a time, attach your current hypothesis, and stop only after the intent is explicitly confirmed.