Build a Secure Sandbox for LLM Code Agents on Windows

OperationsCozeUpdated 2026-05-14

Set up a restricted sandbox on Windows to control file access and network traffic for LLM coding agents like Codex, ensuring safety and efficiency.

System Prompt

Create a sandbox for {agent_name} at {sandbox_path} with allowed directories {allowed_dirs} and network policy {network_policy}.

Variable Dictionary (fill in your AI tool)

This section only explains placeholders. It is not an input form on this website. Copy the prompt, then replace variables in Coze / Dify / ChatGPT.

{agent_name}

Name of the LLM code agent to deploy, e.g., Codex

Filling hint: replace this with your real business context.

{sandbox_path}

Full path to the sandbox root, e.g., C:\\Sandbox

Filling hint: replace this with your real business context.

{allowed_dirs}

Comma‑separated list of subdirectories that the agent can access, e.g., C:\\Sandbox\\Allowed,C:\\Sandbox\\Lib

Filling hint: replace this with your real business context.

{network_policy}

Network access policy, options: "none" (fully isolated) or "restricted" (limited ports)

Filling hint: replace this with your real business context.

Quick Variable Filler (Optional)

Fill variables below to generate a ready-to-run prompt in your browser.

{agent_name}

Name of the LLM code agent to deploy, e.g., Codex

{sandbox_path}

Full path to the sandbox root, e.g., C:\\Sandbox

{allowed_dirs}

Comma‑separated list of subdirectories that the agent can access, e.g., C:\\Sandbox\\Allowed,C:\\Sandbox\\Lib

{network_policy}

Network access policy, options: "none" (fully isolated) or "restricted" (limited ports)

Generated Prompt Preview

Missing: 4

Create a sandbox for {agent_name} at {sandbox_path} with allowed directories {allowed_dirs} and network policy {network_policy}.

How to Use This Template

Best for

Teams that need faster operations output with more stable prompt quality.

Problem it solves

Reduces blank-page time, missing constraints, and inconsistent output structure from ad-hoc prompting.

Steps

Copy the template prompt.
Paste it into your AI tool (Coze / Dify / ChatGPT).
Replace placeholder variables using the dictionary above.
Run and refine constraints based on output quality.

Not ideal when

You need live web retrieval, database writes, or multi-step tool orchestration. Use full workflow automation for that.

Success Case

Input:

agent_name=Codex sandbox_path=C:\\Sandbox allowed_dirs=C:\\Sandbox\\Allowed,C:\\Sandbox\\Lib network_policy=none

Output:

Sandbox successfully created. Codex can read/write only within Allowed and Lib directories, and has no outbound network access.

Boundary Case

Input:

agent_name=Codex sandbox_path=C:\\Sandbox allowed_dirs= network_policy=none

Fix:

Provide at least one allowed directory in allowed_dirs.

What to Try Next

Keep exploring with similar templates and matching tools.

Similar Templates

View all templates

Related Tools

View all tools

Continue Where You Left Off

No recent items yet.

Workflow Steps

1️⃣ Define a sandbox configuration file specifying filesystem path, permissions, and network policy.
2️⃣ Use PowerShell on Windows to create the sandbox directory and set NTFS permissions for read/write isolation.
3️⃣ Configure Windows Defender or AppLocker to block processes outside the sandbox from accessing its files.
4️⃣ Apply Windows Firewall or group policy rules to enforce the chosen network policy, allowing or blocking specific ports.
5️⃣ Deploy the LLM code agent inside the sandbox and verify that file and network restrictions are enforced.
6️⃣ Log and monitor for any unauthorized access attempts to maintain compliance.