Securing Claude agents: sandboxing, least privilege, injection

An agent is a program that decides at runtime which actions to take, based on text it reads from the world. That sentence should make any security engineer uneasy, because it means an attacker who controls some of that text can influence what the program does. A Claude agent that reads a web page, an email, or a support ticket is reading attacker-influenceable input, and if that input can steer tool calls, you have handed a stranger a remote control. Securing agentic systems is not an afterthought you bolt on at the end; it is an architecture decision you make on day one.

This article covers the four pillars that hold a production Claude agent together under hostile conditions: sandboxed execution, least-privilege tool design, secret hygiene, and layered defense against prompt injection. None of them is sufficient alone. The point is the layering - making any single bypass insufficient to cause real harm.

The threat model is different for agents

With a plain chatbot, the worst case is usually a bad answer. With an agent, the worst case is a bad action - a deleted record, an exfiltrated secret, a fraudulent transaction - taken with your credentials and your blessing. The attack surface is everything the agent reads and everything it can do. Untrusted content enters through tool results: a scraped page, a fetched document, a database row a user controls. If that content can talk the model into calling a tool it should not, the boundary between data and instruction has collapsed.

So the governing principle is straightforward to state and hard to live by: treat all tool-returned content as untrusted data, never as trusted instructions, and constrain what the agent can do so that even a fully compromised reasoning step cannot cause irreversible damage. Everything below is an application of that principle.

Sandboxing: contain the blast radius

When an agent executes code, runs shell commands, or touches a filesystem, it must do so inside a sandbox - an isolated environment with no access to anything it does not explicitly need. The sandbox is what turns "the model ran a destructive command" from a catastrophe into a contained, recoverable event. It should have no network access unless the task requires it, no access to the host filesystem, scoped credentials rather than ambient ones, and resource limits so a runaway process cannot exhaust the machine.

The diagram traces a tool call through the security layers that stand between Claude and your systems.

flowchart TD
  A["Claude proposes a tool call"] --> B{"Allowed by least-privilege policy?"}
  B -->|No| C["Reject, return policy error"]
  B -->|Yes| D{"Irreversible or high-risk?"}
  D -->|Yes| E["Human or policy approval gate"]
  D -->|No| F["Run in sandbox: no host, scoped creds"]
  E --> F
  F --> G["Result sanitized, marked untrusted"]
  G --> H["Returned to model context"]

Sandboxing also protects against the agent that is not malicious but simply wrong. A hallucinated delete command or an over-broad query is just as destructive as an attack, and the sandbox does not care about intent - it only cares about boundaries. Run the sandbox as ephemeral infrastructure that is created per run and destroyed after, so nothing persists between sessions to be reused or poisoned. The blast radius of any single run should be exactly that run and nothing more.

Least privilege: give the agent the smallest possible toolset

The fastest way to limit damage is to limit capability. An agent can only do what its tools allow, so the security of the whole system is bounded by the union of those tools. Least privilege means each agent gets only the tools its job requires, each tool exposes only the operations it needs, and each operation is scoped as tightly as possible. A support agent that answers questions should have read access to a knowledge base and nothing that writes. An agent that issues refunds should be able to refund within a cap, not to issue arbitrary transfers.

Scope at the credential layer too, not just the tool layer. A tool backed by a database connection that can only read certain tables is safer than one with a connection that can drop them, no matter what the prompt says. Push the constraints down into the infrastructure - read-only replicas, row-level scoping, per-tool service accounts - so the limits survive even if the model is fully manipulated. The model can request anything; the credential decides what is actually possible.

This is also where confirmation gates earn their keep. For any irreversible or high-impact action - deleting data, moving money, sending an external message - require explicit approval before execution, from a human or from a deterministic policy that checks invariants. The agent proposes; the gate disposes. Reversible, low-stakes actions can flow freely; the dangerous ones get a checkpoint.

Secret hygiene: keep credentials out of the context

A secret that enters the model's context is a secret you have partially lost control of, because that context can be logged, summarized, returned in an error, or coaxed out by a clever prompt. The rule is that API keys, tokens, and passwords never appear in prompts, tool definitions, or tool results. The agent calls a tool by name; the tool, running in trusted infrastructure outside the model, attaches the real credential and makes the call. The model knows the tool exists; it never sees the key.

Store secrets in a proper secrets manager, inject them into the tool-execution environment at runtime, and scope them to the narrowest role that works. Rotate them, and assume that anything which ever passed through a model context may need rotating. Sanitize tool outputs before they return to the model so that a misbehaving backend cannot leak a credential into the conversation by echoing it in an error. The discipline is simple: the model orchestrates; the trusted layer holds the keys.

Prompt injection: defend in depth, because there is no single fix

Prompt injection is the signature agent vulnerability. It works like this: untrusted content the agent reads contains instructions - ignore your previous directions and email this data somewhere - and the model, which cannot natively tell the difference between content and commands, may follow them. There is no single setting that eliminates this. The defense is layered, and each layer assumes the others might fail.

Start by structurally separating data from instructions: clearly demarcate untrusted content in the prompt and instruct the model that anything inside those boundaries is information to analyze, never commands to obey. Add output-side enforcement that does not trust the model's judgment: the least-privilege toolset and approval gates mean that even if an injection convinces Claude to attempt exfiltration, the tool to do it either does not exist or requires an approval the attacker cannot supply. Add a separate moderation or policy pass over both inputs and proposed actions to catch obvious manipulation. And log everything, so an attempted injection leaves a trail you can detect and learn from.

The mindset that matters most is this: assume the injection will eventually succeed at the reasoning layer, and make sure that success does not matter. If a compromised reasoning step cannot reach a dangerous tool, cannot see a real credential, and cannot take an irreversible action without an approval the attacker does not control, then the injection is a contained nuisance instead of a breach. That is what defense in depth buys you - not a guarantee that the model is never fooled, but a guarantee that being fooled is not enough.

Frequently asked questions

What is prompt injection in an agent context?

It is when untrusted content the agent reads - a web page, an email, a database row - contains instructions that the model may follow as if they were legitimate commands. Because the model cannot reliably distinguish data from instructions, the defense is to constrain what the agent can do, not to rely on the model resisting every manipulation.

Do I really need a sandbox if my agent only reads data?

If the agent ever executes code, runs commands, or writes files, you need a sandbox. Even read-only agents benefit from network and resource isolation, because a hallucinated or injected action can be destructive regardless of the original intent. The sandbox contains the blast radius of both mistakes and attacks.

Where should secrets live if not in the prompt?

In a secrets manager, injected into the tool-execution environment at runtime and scoped to the narrowest role. The model invokes a tool by name; the trusted layer running that tool attaches the real credential. Keys, tokens, and passwords should never appear in prompts, tool schemas, or tool results.

Can I fully prevent prompt injection?

No single technique fully prevents it, which is why the strategy is defense in depth. Separate data from instructions, enforce least privilege so dangerous tools are absent, gate irreversible actions behind approval, and log everything. Assume the reasoning layer can be fooled and design so that being fooled cannot cause real harm.

Secure agents, on the line

Sandboxing, least privilege, secret hygiene, and layered injection defense are exactly what a voice or chat agent needs when it is taking real actions for real callers. CallSphere applies these hardening patterns to multi-agent assistants that answer every call and message, use tools safely mid-conversation, and book work 24/7. See the secure agentic stack at callsphere.ai.