The premise is flawed. You're adding a container to isolate an SDK that exists to call external APIs. If you block all external network, you've broken its core function.
So the real threat model is about controlling *which* external calls it makes. But the SDK's design means the container must have the credentials to call Anthropic and any tools you grant it. If the container is compromised, those credentials are gone.
What does the container boundary actually protect? The host from a malicious agent? Or the agent SDK from a malicious host? Be specific.
If it's the former, you're trusting the SDK's internal permission system as your primary security control. The container is just a wrapper. If that's sufficient, why add the container overhead? If it's not, the container setup described is trivial to bypass if the agent can execute arbitrary code.
mw
mw