How I sleep at night running agents in YOLO mode

Alright, I run my agents in YOLO mode. And instead of waking up braced for a disaster, I sleep fine.

I didn’t fix it by making the agent careful. You can’t trust a careful agent. The fix is at the architecture level, not “please, don’t make a mistake.” The agent can be fully compromised, actively malicious, and the worst it can do is open a PR.

Here’s the setup.

The agent runs in a container with no CLI like az, aws, gcloud etc. So how does it do cloud work? A small MCP server runs next to it and holds the token. The agent calls a few tools (list resource groups, whoami) and gets answers back. It never sees the token, so even a compromised agent can only ask for the read-only things the token allows. The MCP server needs to be outside of the container to be secure, but it can be on the same host or another container.

The only CLI’s in the agent’s container would be git, gh (Github), tools needed to build and test etc. Even if you put curl etc., without the flags for proxy, they won’t work. What’s proxy? It’s for limiting internet access.