LangChain Launches LangSmith Sandboxes for Secure AI Agent Code Execution

LangChain has released LangSmith Sandboxes in Private Preview, providing developers with isolated environments where AI agents can execute code without compromising host infrastructure. The feature ships with microVM isolation, persistent state management, and integration with the existing LangSmith SDK.

The timing addresses a growing pain point. Coding agents from Cursor to Claude Code have demonstrated what’s possible when AI can write and run its own code. But that capability comes with risk—research from ClawSecure found that 41% of OpenClaw skills contained vulnerabilities that could execute destructive or malicious actions on local environments.

What’s Actually Shipping

LangSmith Sandboxes run on hardware-virtualized microVMs rather than standard Linux containers. That’s a meaningful distinction: traditional containers share the host kernel, while microVMs provide kernel-level isolation between each sandbox instance.

Developers can spin up sandboxes with a single SDK call, bring their own Docker images from private registries, and define reusable templates for CPU and memory configurations. The system supports pooling and autoscaling—pre-provisioned warm sandboxes eliminate cold start delays, with additional instances spinning up automatically under load.

For longer agent tasks, sandboxes maintain persistent WebSocket connections with real-time output streaming. Files, installed packages, and environment state carry over between runs, so agents don’t lose context across multiple interactions.

Security gets handled through an Authentication Proxy that routes external service calls without exposing credentials to the sandbox runtime. Secrets never touch the execution environment.

Framework Flexibility

LangChain built this to work beyond their own ecosystem. The Python and JavaScript SDKs integrate with LangChain’s Deep Agents framework and Open SWE project, but the sandboxes function with other frameworks or none at all.

Multiple agents can share sandbox access, eliminating the need to transfer artifacts between isolated environments. Tunnels expose sandbox ports to local machines for previewing agent output before deployment.

The Roadmap

LangChain outlined several features in active development: shared volumes for cross-sandbox state management, binary authorization to restrict which programs can execute, and full execution tracing that logs every process and network call inside the VM.

The binary authorization piece could prove particularly valuable. Agents frequently exhibit unexpected behavior—installing packages, exporting credentials, consuming compute on unintended tasks. Restricting execution at the binary level mirrors how enterprises lock down corporate devices.

Developers interested in the Private Preview can join the waitlist through LangChain’s website. The company is soliciting feedback through their Slack community on feature prioritization.

Image source: Shutterstock