open() and subprocess.run is risky: one wrong path and it reads /etc/passwd, one wrong command and it rm -rfs your home directory.
The Computer Use Toolkit (swarms.tools.computer_use) gives you eight ready-made tools — read, list, grep, write, edit, patch, delete, and run-command — that are locked inside a workspace directory, refuse dangerous binaries, strip secrets from the environment, and back up every file before touching it.
Setup
Step 1 — Create the tools
One factory call, pointed at a workspace directory, returns a dict of eight tool callables — each already sandboxed to that directory.read_file, list_directory, grep_files, write_file, edit_file, patch_file, delete_file, run_command. Every one refuses to operate outside workspace_root or on system paths like /etc and /root.
Step 2 — Hand the tools to an agent
They’re ordinary callables, so drop them straight into anAgent and let it decide when to call each one.
max_loops="auto" the agent plans, then calls list_directory → read_file → write_file on its own. If the model hallucinates a path like /etc/shadow, the call is rejected before anything happens.
Step 3 — Give it only the tools you trust it with
The dict shape makes it trivial to expose a subset. For an agent that should analyze but never mutate, hand over just the read tools:Step 4 — Harden further with policies
The defaults are already strict (atomic writes with backups, symlink-escape rejection, secret stripping, allowlisted binaries). For untrusted tasks, tighten the shell with aShellPolicy:
run_command also strips 25+ secret env vars (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, …) from every subprocess. Writes, edits, and deletes back up the original to .swarm_backups/ first — clean that directory out periodically, since it isn’t pruned automatically.
See Also
Autonomous Looper with Tools
Fine-grained control over an autonomous agent’s built-in tools
Run Bash Tool Tutorial
Give an autonomous agent shell access step by step