Intermediate 📅 Last Updated: July 1, 2026 ⏱️ 12 min read 🤖 Local AI Agents
Never give an agent blanket access to your home directory. Point it at a single working directory, start in read-only mode, escalate to read-write only when you need edits, and never grant shell/exec permission without a sandbox. The safe pattern: --allowed-path ./project --read-only first, review output, then unlock writes in a git-committed folder so you can roll back anything the agent changes.
Read this if: You are running a local agent (Goose, Aider, OpenHands, Continue) and it needs to read or edit real project files. You want to keep your dotfiles, secrets, and unrelated projects safe.
Skip if: You are only chatting with a model through Open WebUI or Ollama CLI — no file access involved. Nothing here applies yet.
git checkoutMachine: MSI laptop (dual GPU)
GPU: NVIDIA RTX 5070 Ti Laptop (12GB) + RTX 5070 (12GB)
CPU: Intel Core Ultra 7 255HX (20 cores)
RAM: 96GB
OS: Ubuntu 26.04 LTS
Agents: Goose 1.0, Aider 0.7
Date: July 2026
Think of file access as four escalating trust tiers. Always start at the lowest level that gets the job done.
| Level | Name | What the Agent Can Do | Use When |
|---|---|---|---|
| 0 | None / Sandboxed | Chat only. No filesystem access at all. | General questions, brainstorming, research. |
| 1 | Read-Only (scoped) | Read files inside one folder. Cannot write or delete. | Code review, summarizing docs, answering "what does this do?" |
| 2 | Read-Write (scoped) | Read and edit files inside one folder only. | Refactoring, writing docs, generating code into the project. |
| 3 | Read-Write + Shell | Edit files AND run commands (npm, cargo, tests). | Trusted agents in a sandbox/container only. High risk. |
This is your safety net. Every agent edit becomes a diff you can reject.
cd ~/projects/my-app
git init
git add -A
git commit -m "baseline before agent work"
Point Goose at the project folder with no write access:
# Goose: restrict to one directory, read-only
goose session --path ~/projects/my-app --permissions read
# Aider: read-only by default, must opt into edits
aider --no-auto-commits --subtree-only ./src
Now ask the agent to review the code. It can read everything in my-app but cannot change a single byte. If it suggests an edit, apply it yourself.
# Goose: allow edits inside the project only
goose session --path ~/projects/my-app --permissions read write
The agent still cannot touch ~/.ssh, ~/.config, your browser profile, or any other project. Commit after each task so you can roll back:
# Review what the agent changed
git diff
# Keep it
git add -A && git commit -m "agent: refactor auth module"
# Reject it
git checkout .
Only do this inside a container. The agent can run commands but cannot escape.
# Run the agent inside a Docker sandbox with a mounted volume
docker run -it --rm \
-v ~/projects/my-app:/workspace \
-w /workspace \
--network none \
sandbox-agent:latest
# Inside the sandbox, the agent sees /workspace only.
# No home directory. No SSH keys. No internet.
| Allow | Block (always) |
|---|---|
| The single project folder | ~/.ssh, ~/.gnupg, any SSH/GPG keys |
Generated output folders (./out, ./build) | ~/.aws, ~/.config, .env files |
Read access to shared docs (./docs) | Browser profiles, password manager vaults |
| Git-tracked source files | Other projects on your machine |
| Test fixtures and sample data | Real customer data, production DB dumps |
~/Cause: You launch the agent in your home directory "for convenience," so it sees every file you own — including .env files with API keys.
Fix: Always cd into the specific project before launching. Use --subtree-only or the equivalent flag so the agent cannot walk up the tree.
Cause: An agent with shell permission can run rm -rf, curl secrets to a remote server, or install malware. A prompt-jailbreak can trigger all of this.
Fix: Never give Level 3 access on your host OS. Use Docker, Firejail, or a VM. See the warning below.
Cause: The agent rewrites 40 files. You liked the old versions. They are gone.
Fix: git commit before every agent session. git checkout . is your undo button.
Cause: Some agents have a YOLO/auto-approve setting that skips confirmation. Convenient, dangerous.
Fix: Leave it off. Approve edits manually until you trust a specific workflow, then re-enable only inside a sandbox.
An agent with shell/exec permission is effectively a remote user on your machine. A jailbroken prompt (and they happen) can instruct it to curl malicious.sh | bash, exfiltrate your .env files, or rm -rf your home directory. Shell access belongs in a container or VM — never on your host. If you would not hand a stranger your laptop unlocked, do not hand an agent shell access unsandboxed.
| Level | Setup | Risk |
|---|---|---|
| Safe | Read-only, scoped to one folder, git baseline | None — worst case the agent sees your project code. |
| Balanced | Read-write, scoped to one folder, git baseline, manual approval | Low — you can revert any change instantly. |
| Advanced | Read-write + shell, inside Docker sandbox, network disabled | Medium — contained blast radius. Good for trusted agents. |
Default to read-only, scoped to the project folder. Move to read-write only when the agent has proven it understands the codebase, and always commit first so
git checkout .undoes a bad edit. I have never given an agent shell access on my host OS. The one time I needed it for running tests, I spun up a throwaway container with--network none. Two minutes of setup saves you from a wiped home directory.
Run the agent in Docker with specific directories mounted as read-only volumes. This limits access to only files you share and prevents modification. Tools like Goose have built-in permission systems that ask approval before file operations.
Giving unrestricted read-write access to your entire home directory. This can lead to accidental deletion, exposure of SSH keys or .env files, or harmful commands. Always scope access to the minimum directory needed.
Start with read-only for most research and analysis tasks. Grant write access only to a specific output directory. Tools like Goose let you set per-directory permissions to mix read-only and write-access paths.
Docker significantly reduces risk by containing file access, network calls, and system changes. However, it does not prevent data exfiltration over network if the agent has internet access. Combine Docker with network restrictions for maximum safety.
Goose has a permission system prompting approval for each tool action. Configure allowlists in the config file to pre-approve specific directories or commands. Use '--no-auto-approve' for sensitive environments.
The $19 Starter Kit includes a printable security checklist: allowed paths, blocked paths, permission tiers, and a pre-flight script that scans your project for secrets before the agent runs.
Get the Starter Kit ($19) →Send me your agent config and I will tell you exactly what to lock down. $99.
Get a Setup Review →Get the free Local AI Setup Checklist delivered to your inbox.
Get the Free ChecklistLast Updated: July 1, 2026 — Verified against Goose 1.0 and Aider 0.7 on Ubuntu 26.04 LTS.