smolvm: Sub-200ms VMs for Agents
Show HN today: smolvm hit 165 points. Sub-200ms cold start virtual machines with hardware isolation. The use case is right there in the README — sandboxing untrusted code that agents want to run.
It's a CLI for running ephemeral VMs and packing stateful machines into portable .smolmachine files. Network defaults to deny with allowlist. SSH agent forwarding lets agents use host credentials without exposing private keys to the guest. Smolfile gives you declarative config for reproducible execution contexts.
The agent sandbox category got serious in the last six months. Every coding agent eventually wants to run code it generated. Microsoft's container plays, Daytona's containers, E2B's micro-VMs, Modal's functions — same primitive, different packaging. smolvm's bet is that 200ms cold starts plus hardware isolation hits a sweet spot the others miss: fast enough to feel local, isolated enough to trust untrusted output.
This is the unsexy plumbing layer that determines whether agents can actually execute. The model picks the action. The harness runs the action. The sandbox decides if the action stays contained. Right now nobody owns this layer cleanly. smolvm is one of the bets.
Link: https://github.com/smol-machines/smolvm
← Back to all articles
It's a CLI for running ephemeral VMs and packing stateful machines into portable .smolmachine files. Network defaults to deny with allowlist. SSH agent forwarding lets agents use host credentials without exposing private keys to the guest. Smolfile gives you declarative config for reproducible execution contexts.
The agent sandbox category got serious in the last six months. Every coding agent eventually wants to run code it generated. Microsoft's container plays, Daytona's containers, E2B's micro-VMs, Modal's functions — same primitive, different packaging. smolvm's bet is that 200ms cold starts plus hardware isolation hits a sweet spot the others miss: fast enough to feel local, isolated enough to trust untrusted output.
This is the unsexy plumbing layer that determines whether agents can actually execute. The model picks the action. The harness runs the action. The sandbox decides if the action stays contained. Right now nobody owns this layer cleanly. smolvm is one of the bets.
Link: https://github.com/smol-machines/smolvm
Comments