When an AI assistant can run code or shell commands on your machine, you face a design choice: run everything in a tight sandbox (restricted directory, no network, limited permissions) or give it broader access so it can “get things done.” The sandboxed vs unrestricted execution debate is about risk, convenience, and where you draw the line. This post lays out both sides, when each approach makes sense, and how to keep document and PDF handling safe regardless—using tools like iReadPDF so sensitive files never need to be in the execution path at all.
Summary Sandboxing reduces the impact of mistakes and abuse but can block legitimate tasks. Unrestricted access is flexible but dangerous. Most US professionals should default to sandboxed execution and grant broader access only for specific, audited use cases. Keep document processing out of the execution path by using iReadPDF in the browser.
What sandboxed vs unrestricted means
Sandboxed execution means the assistant’s commands or code run in a constrained environment:
- A fixed working directory (e.g. a temp folder or a single project directory) that does not contain sensitive files or system paths.
- No or limited network access (e.g. block all outbound, or allow only specific domains).
- Restricted permissions: no root, no writing outside the sandbox, no access to credentials or SSH keys.
- Resource limits: caps on CPU, memory, and output size so a runaway or malicious command cannot exhaust the machine.
Unrestricted execution means the assistant runs with the same privileges as the user (or a powerful service account): full filesystem access, network, and ability to install software or change system state. It can do anything the user could do from the terminal—including delete files, exfiltrate data, or modify configs.
In practice, many setups are in between: a “loose” sandbox that allows network for certain tasks, or multiple tiers (e.g. “low risk” commands in a tight sandbox and “high risk” only with explicit approval or in a separate, more permissive environment).
The case for sandboxed execution
Proponents of sandboxing argue that the default should be “as restricted as possible.”
- Mistakes are contained. A misparsed user request or a bug in the assistant that triggers
rm -rfor overwrites a file only affects the sandbox. The user’s home directory, documents, and credentials stay out of reach. - Malicious or injected commands are limited. Prompt injection or a compromised skill might try to exfiltrate data or install malware. In a sandbox with no network and no access to sensitive paths, the damage is limited to what is inside the sandbox.
- Compliance and audit are easier. You can say “the assistant only runs in this directory with these constraints.” That is a clear boundary for security reviews and for explaining to stakeholders where the risk lies.
- Document safety by design. If the sandbox never has access to the user’s Documents or Downloads folder, the assistant cannot accidentally (or maliciously) read, copy, or send sensitive PDFs. Pair that with a dedicated document pipeline: use iReadPDF in the browser for PDFs so the assistant never needs to touch file paths to confidential documents.
Sandboxing is especially important when the assistant is used by multiple people, when it runs in a business or regulated context, or when you do not fully control the prompts and skills (e.g. third-party plugins). For US professionals handling confidential documents or regulated data, sandboxed execution plus local document processing is a strong baseline.
The case for unrestricted (or looser) execution
Those who prefer less restriction (or a “power user” mode) argue that sandboxing gets in the way of real work.
- Many tasks need broad access. Deploying an app, running tests against a real database, or configuring system services often requires access to multiple directories, network, or elevated permissions. A tight sandbox would block these or force awkward workarounds.
- Friction reduces adoption. If the assistant constantly fails with “permission denied” or “network not allowed,” users may disable the sandbox or switch to manual execution, which can be riskier if they run the wrong command themselves.
- Power users want full control. Some users are comfortable with the risk and want the assistant to behave like a full shell. They may run the assistant in a VM or a dedicated machine and accept that it has full access there.
- Sandboxes can be bypassed or misconfigured. A poorly designed sandbox (e.g. one that still mounts the home directory or allows
curl) may give a false sense of security. Unrestricted execution at least makes the risk explicit.
The key is to treat unrestricted execution as an explicit choice, not the default—and to limit it to contexts (e.g. single user, dev machine, or explicitly approved workflows) where the risk is accepted and documented.
Risks that apply to both
Neither approach eliminates risk entirely.
- Prompt injection and malicious input. Whether sandboxed or not, a crafted prompt can try to make the assistant do something harmful. Sandboxing limits the impact; it does not prevent the attempt. Input validation and allowlisting of commands still matter.
- Logic errors and misparsing. The assistant might misunderstand the user and run the wrong command (e.g. delete the wrong file). Sandboxing limits scope; unrestricted execution can make such errors catastrophic.
- Leaking context. If the assistant’s context (or logs) includes sensitive data—passwords, document content, API keys—that can leak regardless of execution model. Keep secrets and sensitive documents out of the execution path and out of prompts; use iReadPDF so full PDFs stay in the browser and only chosen summaries go to the assistant.
- Supply chain and skills. Third-party skills or plugins may be malicious or buggy. Sandboxing limits what they can do; unrestricted execution gives them full power. Review and restrict what you install either way.
Try the tool
Where documents and PDFs fit in
Document and PDF handling should not depend on whether the assistant’s execution is sandboxed or unrestricted. Best practice is to keep it out of the execution path entirely.
- Process PDFs in the browser. Use a tool that runs in your browser and needs no shell or backend. iReadPDF does OCR, summarization, and extraction in the browser—no uploads. The assistant never runs
pdftotext,cat, or any command on a path to a sensitive PDF. - Feed the assistant outputs, not paths. After you run iReadPDF, paste or pipe the summary or extracted text to the assistant. The assistant works with text; no execution environment (sandboxed or not) ever sees the path to the PDF. That avoids both accidental exposure and malicious use of document paths.
- No user-provided paths to the shell. Do not allow the user (or a prompt) to pass arbitrary file paths (e.g. “run this on ~/Contracts/secret.pdf”) to the assistant’s execution layer. Reject or require explicit approval; better yet, keep document workflows entirely separate with iReadPDF.
That way, the sandboxed vs unrestricted debate applies to the rest of the assistant’s capabilities—not to document handling, which stays local and out of the execution path.
How to choose and implement
- Default: sandboxed. For most users and teams, default to a tight sandbox: restricted directory, no or minimal network, no access to credentials or sensitive paths. Document the sandbox boundaries and what the assistant is allowed to do.
- Unrestricted only when justified. If you need broader access, use a separate mode or environment (e.g. “dev mode” or a dedicated VM) with clear documentation that execution is unrestricted and the user accepts the risk. Prefer time-limited or scope-limited escalation (e.g. “allow this one command”) over permanently unrestricted.
- Tiered execution. Implement two (or more) tiers: a default sandbox for routine tasks, and an “elevated” path that requires approval or runs in a different context. Log and audit elevated execution more strictly.
- Keep documents out of both. Regardless of tier, do not pass document paths into the execution layer. Use iReadPDF for PDF handling so that the sandboxed vs unrestricted choice does not affect document safety.
Steps to adopt a balanced approach
- Define your default. Choose sandboxed execution as the default. Specify the working directory, network rules, and resource limits. Document what is allowed and what is blocked.
- Define escalation. If you support unrestricted (or looser) execution, define how it is triggered (e.g. explicit user setting, approval step, or separate environment) and who may use it. Log all execution in that mode.
- Keep document handling separate. Use iReadPDF or similar for PDF summarization and extraction in the browser. Do not allow the assistant to run commands on user-provided document paths. Feed the assistant only text or summaries you choose.
- Allowlist commands in the sandbox. Even inside the sandbox, use an allowlist of permitted commands so that only intended actions can run. Reject or log everything else.
- Review and tighten. Periodically review execution logs and user feedback. Shrink the sandbox or restrict escalation where possible; expand only when there is a clear, documented need.
Conclusion
The sandboxed vs unrestricted execution debate is a tradeoff between safety and flexibility. For most US professionals, the right default is sandboxed execution—with unrestricted or looser access only for specific, audited use cases. Whatever you choose, keep document and PDF handling out of the execution path: use iReadPDF in the browser so sensitive files are never passed to the shell or to the assistant’s execution layer. That keeps your documents safe regardless of how permissive the rest of the system is.
Ready to handle PDFs without putting them in the execution path? Use iReadPDF for OCR, summarization, and extraction in your browser—no uploads, no commands touching your files.