[longtermop]

The microservices framing resonates but surfaces an interesting security question. In your orchestration example:

  research = await research_agent.call("Find Q3 earnings...")
  analysis = await doc_agent.call(f"Analyze this data: {research}")

When one agent's output flows directly into another's input, you've created an implicit trust boundary. What happens if the research skill fetches data from a compromised source that includes adversarial instructions? The doc_agent receives {research} as trusted input but it's actually attacker-controlled content.

Skills that touch external systems (web scrapers, API clients, document parsers) become injection surfaces. This is analogous to the microservices problem of validating input at service boundaries, but harder because the "input" here is natural language that gets interpreted, not just parsed.

Curious how boxlite handles sanitization between skill invocations. Is there a recommended pattern for treating inter-agent data as untrusted, or does the micro-VM isolation handle this by containing blast radius rather than preventing injection?

(Working on related problems at Aeris PromptShield - this is genuinely one of the trickier aspects of composable agent architectures.)

[dorianzheng]

I think you basically answered the entire question 1. Our fundamental assumption is: anything that hands control to an agent/skill is potentially compromised (especially if it touches the web / parses docs). So we isolate that work in its own Box with least privilege: minimal mounts (prefer read-only), no ambient secrets, tight CPU/mem limits, and only the network access it actually needs. 2. BoxLite doesn’t try to solve inter-agent “data trust” / prompt-injection by sanitizing content. What it does do is make sure untrusted code can’t hurt the host, and that sensitive local info doesn’t leak (i.e. it reduces blast radius). If you want semantic safety between agents, you still need boundary hygiene patterns (structured outputs, extraction/validation steps, etc.).