Feat: improve agent experience in sandboxed envs

[NickCrews]

When working in a VM sandbox in claude.ai (as of May 6 2026, this could change any day), I have been experiencing papercuts getting a duckdb CLI installed as well as installing extensions. These are because the sandbox restricts network access to a short allowlist of package manager domains such as pypi, github.com, etc.

Regular python package installation

It is possible to get the agent to pip install duckdb and that works just fine for getting a python lib installed for the agent to write python scripts. This is NOT the pain point for me.

CLI

I want to let my agent use a cli for simple bash piping without needing to build up an entire python script (which it will happily do, but take 3x the tokens it needs and be more error prone).

The regular duckdb CLI installation of curl https://install.duckdb.org | sh fail because that host is not on the allowlist. So we need to get a cli via a pip install.

We could expose that in this package: add a __main__.py module at the top level, so after pip installing the user can do python -m duckdb -c "SELECT 42". Or/and add a [project.scripts] entry to the pyproject.toml so that after pip installing the user can simply do duckdb -c "SELECT 42".

I found https://github.com/duckdb/duckdb-python-cli, which looks like it intends to solve the same problem, and it does actually work in the sandbox, because it downloads the cli binary from github releases, which is on the sandboxes domain allow-list. This was just non obvious for me as a user (only found by searching the duckdb org on github for "cli" to see where the cli was published), and if it were part of the normal python package that would be more discoverable. Or maybe put it in the docs somewhere where humans/agents could discover it more easily?

Extensions

I need to connect to motherduck with claude. But at first usage, duckdb tries to install the extension at runtime, and this fails because the download url is not on the allowlist.

So again, we need to install from pypi using the duckdb-extension-motherduck, duckdb-extension-httpfs, etc PyPI
packages from https://github.com/santosh-d3vpl3x/duckdb_extensions.

This works, it just is super non obvious. The agent keeps giving up at this point.

I wonder if we can make this more discoverable: in this python package, can we detect and wrap this error ("failed to install extension") and then include tips on how to get around this? Should we make it so this package has extras for the extensions, eg we can suggest "Try pip install duckdb[extension-motherduck] to be able to use this package."? We need to be careful about giving our endorsement for that extension repo. It is controlled by a 3rd party and this is a ripe vector for supply chain attacks. So maybe we would need to absorb it into the duckdb org officially for that to be a good option? Maybe make publishing to pypi part of the https://github.com/duckdb/community-extensions repo?

Summary

I'm maybe rambling a bit now and I'm not actually sure exactly what my ask is here. In general, make it easier for agents in sandboxed envs to get a CLI and extensions installed.

[evertlammerts]

Hey @NickCrews, did you already look at https://github.com/duckdb/duckdb-skills?

[NickCrews]

no I hadn't seen that, thanks! I will probably use that for personal coding use. But that looks not quite applicable:

• that is a plugin for claude code. I need this to work on claude.ai (so I can get my non-technical teammates access to our motherduck), which just has skills and mcp
• that doesn't solve the domain allowlist problem at all, even if I used those skills they would still try to download the cli and extensions from duckdb.org