The sandbox gives a Neo Agent a temporary, isolated Linux environment for the run: a shell, plus simple file read and write. Use it for data wrangling that doesn’t fit a fixed tool — parsing an export, running a bulk script across many records, transforming a file, assembling a report.
Every agent has a sandbox — there’s nothing to set up or toggle, and the agent reaches for it on its own when the work calls for it. It’s created fresh for the run and discarded afterwards.
What It Does
| Tool | What it does | Tier |
|---|
| Sandbox Bash | Run a shell command in the sandbox and read its output | Standard |
| Sandbox Read File | Read a file from the sandbox | Basic |
| Sandbox Write File | Write a file in the sandbox | Basic |
- Loop one API call across hundreds of records in a single script instead of hundreds of agent turns
- Parse or reshape a CSV/JSON export the agent fetched from another tool
- Run a one-off calculation or text transformation
- Build an intermediate file the agent then attaches via Generate Artifact
If you want to steer the agent toward (or away from) the sandbox on a particular workflow, say so in custom instructions — e.g. “use the sandbox to parse the exported CSV before summarising it.”
When any integration tool (PSA, RMM, Microsoft 365, documentation, …) returns a response too large for the agent to read in one go, Neo automatically saves the complete response to a file in the sandbox and shows the agent a short preview plus the file path. The agent then filters and aggregates the file inside the sandbox and works with just the slices it needs — so a big data pull never derails the run or forces the agent to re-fetch with narrower queries.
Safety
| Control | Behavior |
|---|
| Scoped network access | The sandbox can only reach the integrations enabled on the agent, through an authenticated proxy that enforces the same permission groups as the agent’s regular tools. Code in the sandbox never sees credentials. |
| Isolated and ephemeral | Beyond the proxy, the sandbox sees only what the agent puts in it. It’s destroyed at the end of the run. |
| Test mode | When test mode is on, sandbox commands still run but any write that would change your systems (PSA updates, emails, …) is blocked at the proxy. |
| Technician approval | If any enabled integration requires Technician-in-the-Loop, sandbox commands require an approved request first. |
