diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index e2f5fb3cc..f6bf2eaf6 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -91,6 +91,20 @@ in
       extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
     };
 
+    "sane-scripts.dev-cargo-loop".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      net = "clearnet";
+      whitelistPwd = true;
+      extraPaths = [
+        # a build script can do a lot... but a well-written one will be confined
+        # to XDG dirs and the local dir, and maybe the internet for fetching dependencies.
+        ".cache"
+        ".config"
+        ".local"
+      ];
+    };
+
     "sane-scripts.find-dotfiles".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
diff --git a/pkgs/additional/sane-scripts/src/sane-dev-cargo-loop b/pkgs/additional/sane-scripts/src/sane-dev-cargo-loop
index 1aaf569f7..b16c635e9 100755
--- a/pkgs/additional/sane-scripts/src/sane-dev-cargo-loop
+++ b/pkgs/additional/sane-scripts/src/sane-dev-cargo-loop
@@ -4,7 +4,7 @@
 # optionally, provide your own build command as the first argument
 
 external_cmd="cargo build --all"
-if [ "x$1" != "x" ]
+if [ -n "$1" ]
 then
         external_cmd=$1
 fi