Executive Summary
Vercel has published a guide on a secure architectural pattern for AI agents that generate and execute code. The company highlights the significant security risk of the common practice of running agents and their generated code within a single security context, which exposes credentials to theft via prompt injection. Vercel's recommended solution is to run the agent harness and the untrusted generated code in separate, sandboxed compute environments to prevent the generated code from accessing the agent's secrets.
Key Takeaways
* Core Problem: AI "coding agents" are vulnerable to prompt injection attacks where a malicious prompt can trick the agent into generating and running code that steals sensitive credentials (e.g., API tokens, SSH keys).
* Identified Actors: An agentic system consists of four actors with different trust levels: the Agent, Agent Secrets, Generated Code Execution, and the Filesystem/Environment.
* Flawed Default Architecture: Most current agent systems run all actors in a single security context, giving generated code full access to the agent's secrets and the underlying environment.
* Proposed Secure Architecture: The agent harness (which manages secrets) should run in one compute context, while the untrusted code it generates is executed in a separate, isolated, and ephemeral sandbox (e.g., a dedicated VM).
* Mechanism: Communication between the agent and the sandboxed code occurs through a tool invocation abstraction layer, ensuring the sandbox environment never has access to the agent harness's credentials.
* Benefits: This separation protects secrets from exfiltration, isolates the broader infrastructure from potentially malicious generated code, and allows compute resources for the agent and the executed code to be optimized independently.
Strategic Importance
This announcement positions Vercel as a thought leader in the secure deployment of AI applications. By defining a critical security problem in modern agent architecture, Vercel frames its products (like Vercel Sandbox and Fluid) as the necessary infrastructure for building secure and scalable AI systems.