Vercel's just-bash sparks Cloudflare fork backlash

This is a neat idea with a very loud footnote: once a shell sandbox becomes part of an agent stack, security stops being a README detail and becomes the product.

• –The default in-memory filesystem, network allow-lists, and disabled JS/Python runtimes make the package feel intentionally constrained rather than “just run bash anywhere.”
• –The fact that the project explicitly says there is no VM isolation matters; that is the line between a controlled tool and a general-purpose escape hatch.
• –A fork that trims protections can change the threat model fast, which is why this kind of backlash lands harder than ordinary open-source drama.
• –For AI agent builders, just-bash is compelling as a workflow layer, but it only makes sense when the surrounding trust boundaries are equally explicit.
• –The bigger takeaway is that “shell access for agents” is attractive until you ask who owns the sandbox and what happens when someone forks it.