docker · dvdksn · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 15, 2026
@@ -62,13 +62,17 @@ Without extra args, the sandbox runs:
 claude --dangerously-skip-permissions
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-`--dangerously-skip-permissions`, include it yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`), so `--dangerously-skip-permissions` is
+preserved:
 
 ```console
-$ sbx run claude -- --dangerously-skip-permissions -c
+$ sbx run claude -- -c   # runs claude --dangerously-skip-permissions -c
 ```
 
+When the first argument is a bare word, such as the `agents` subcommand, it
+replaces the defaults instead.
+
 See the [Claude Code CLI reference](https://code.claude.com/docs/en/cli-reference)
 for available options.
 

@@ -73,8 +73,9 @@ Without extra args, the sandbox runs:
 codex --dangerously-bypass-approvals-and-sandbox
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-the flag, include it yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`). A bare word — such as a prompt — replaces the
+defaults instead, so lead with the flag to keep bypass mode:
 
 ```console
 $ sbx run codex -- --dangerously-bypass-approvals-and-sandbox "fix the build"

@@ -59,13 +59,16 @@ Without extra args, the sandbox runs:
 copilot --yolo
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-`--yolo`, include it yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`), so `--yolo` is preserved:
 
 ```console
-$ sbx run copilot -- --yolo -p "review this PR"
+$ sbx run copilot -- -p "review this PR"   # runs copilot --yolo -p "review this PR"
 ```
 
+When the first argument is a bare word — a subcommand or prompt — it replaces
+the defaults instead.
+
 ## Base image
 
 Template: `docker/sandbox-templates:copilot`

@@ -65,13 +65,16 @@ Without extra args, the sandbox runs:
 cursor-agent --yolo
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-`--yolo`, include it yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`), so `--yolo` is preserved:
 
 ```console
-$ sbx run cursor -- --yolo -p "refactor this"
+$ sbx run cursor -- -p "refactor this"   # runs cursor-agent --yolo -p "refactor this"
 ```
 
+When the first argument is a bare word — a subcommand or prompt — it replaces
+the defaults instead.
+
 ## Base image
 
 Template: `docker/sandbox-templates:cursor-agent-docker`

@@ -60,8 +60,10 @@ Without extra args, the sandbox runs:
 docker-agent run --yolo
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-`run --yolo`, include them yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`). When the first argument is a bare word — such
+as the `run` subcommand or a config file — it replaces the defaults, so include
+`run --yolo` yourself:
 
 ```console
 $ sbx run docker-agent -- run --yolo agent.yml

@@ -65,13 +65,16 @@ Without extra args, the sandbox runs:
 gemini --yolo
 ```
 
-Args after `--` replace these defaults rather than being appended. To keep
-`--yolo`, include it yourself:
+Arguments after `--` are added after the default flags when the first one is
+itself a flag (begins with `-`), so `--yolo` is preserved:
 
 ```console
-$ sbx run gemini -- --yolo -p "explain this"
+$ sbx run gemini -- -p "explain this"   # runs gemini --yolo -p "explain this"
 ```
 
+When the first argument is a bare word — a subcommand or prompt — it replaces
+the defaults instead.
+
 ## Base image
 
 Template: `docker/sandbox-templates:gemini`

@@ -85,10 +85,12 @@ Without extra args, the sandbox runs:
 kiro chat --trust-all-tools
 ```
 
-Args after `--` replace these defaults rather than being appended. This is
-why `sbx run kiro -- login --use-device-flow` works for the login subcommand.
-To keep `chat --trust-all-tools` alongside your own args, include them
-yourself:
+When the first argument after `--` is a flag (begins with `-`), it's added
+after the defaults — for example, `sbx run kiro -- --resume` runs
+`kiro chat --trust-all-tools --resume`. When the first argument is a bare word,
+it replaces the defaults, which is why `sbx run kiro -- login --use-device-flow`
+runs the login subcommand on its own. To run `chat` with extra arguments of
+your own, include the subcommand:
 
 ```console
 $ sbx run kiro -- chat --trust-all-tools --resume

@@ -23,14 +23,16 @@ $ sbx run shell -- -c "echo 'Hello from sandbox'"
 
 ## Default startup command
 
-Without extra args, the sandbox runs `bash -l`. Args after `--` replace `-l`
-rather than being appended. To preserve login-shell behavior, include `-l`
-yourself:
+Without extra args, the sandbox runs `bash -l`. When the first argument after
+`--` is a flag (begins with `-`), it's added after `-l`, so login-shell
+behavior is preserved:
 
 ```console
-$ sbx run shell -- -l -c "echo hi"
+$ sbx run shell -- -c "echo hi"   # runs bash -l -c "echo hi"
 ```
 
+When the first argument is a bare word, it replaces `-l` instead.
+
 Set your API keys as environment variables so the sandbox proxy can inject
 them into API requests automatically. Credentials are never stored inside
 the VM:

@@ -2,7 +2,7 @@
 title: FAQ
 weight: 70
 description: Frequently asked questions about Docker Sandboxes.
-keywords: docker sandboxes, sbx, faq, sign in, telemetry
+keywords: docker sandboxes, sbx, faq, sign in, telemetry, clipboard, image paste
 ---
 
 ## Why do I need to sign in?
@@ -159,6 +159,35 @@ Collocating skills and other agent configuration with the project itself is a
 good practice regardless of sandboxes. It's versioned alongside the code and
 evolves with the project as it changes.
 
+## Can I paste images into an agent?
+
+Yes, but it's off by default. Text paste already works, because the terminal
+sends it directly. Pasting an image or screenshot with `Ctrl+V` is different:
+the agent reads it from your host clipboard, and the sandbox blocks that access
+unless you opt in.
+
+Turn it on with a local setting:
+
+```console
+$ sbx settings set clipboard.imagePaste true
+```
+
+`Ctrl+V` then pastes host images into agents that read the clipboard, including
+Claude Code and Codex. The setting takes effect within a few seconds, even for
+running sandboxes.
+
+This is opt-in because it relaxes the sandbox's isolation: when enabled, a process
+inside the sandbox can read your host clipboard through the host-side proxy. The
+exposure is narrow — reads happen only on a paste, return image data only
+(`image/png`), and clipboard content is never cached or logged — but it's still
+host data crossing into the sandbox, so it stays off until you turn it on.
+
+To turn it back off:
+
+```console
+$ sbx settings set clipboard.imagePaste false
+```
+
 ## Can I use Docker Sandboxes on headless Linux?
 
 Yes. On Linux, `sbx` stores secrets in the Secret Service exposed by your

@@ -63,7 +63,8 @@ A network evaluation record looks like this:
     "no applicable policies for op(action=net:connect:tcp, resource=net:domain:example.com:443)"
   ],
   "action_type": "network_egress",
-  "network_egress": { "protocol": "tcp" }
+  "network_egress": { "protocol": "tcp" },
+  "agent": "claude"
 }
 ```
 
@@ -83,6 +84,7 @@ Common fields include:
 | `resource_id`      | The target of the evaluation, such as a host and port.                                                       |
 | `decision`         | `AUDIT_DECISION_ALLOW` or `AUDIT_DECISION_DENY`.                                                             |
 | `deny_reason`      | Why a denied request was blocked. Present on deny decisions.                                                 |
+| `agent`            | The AI agent driving the sandbox (for example, `claude`, `codex`). Omitted when the agent is unknown.       |
 
 Each record is attributed to the signed-in Docker user and the organization
 whose governance policy is in effect.