AI & DevelopmentSecurityDeveloper Tools

NVIDIA OpenShell: Sandbox Your AI Agents Safely

NVIDIA OpenShell sandboxing AI agents with kernel-level isolation — YAML policy containment rings around agent processes
NVIDIA OpenShell: kernel-level sandbox runtime for autonomous AI agents

Your AI agent just read your .ssh directory. Not on purpose — you asked it to patch a deployment script. But it had access to your entire home directory, so it checked. NVIDIA OpenShell is the open-source runtime that puts a hard wall between what your agent can do and what it’s supposed to do. If you’re running autonomous agents without some form of containment, this is worth thirty minutes of your time.

The Problem Nobody’s Talking About

Autonomous agents — Claude Code, Codex, Cursor’s background agent — are not text generators. They have real capabilities: filesystem read/write, shell execution, network access, API calls. When you spin one up locally or in CI/CD, it typically runs with the same permissions as the process that launched it. That means your agent can read your ~/.aws/credentials, your .env files, your SSH keys. It can make outbound requests to any host. It can call whatever APIs your token grants access to.

Most developers know this but accept it as a necessary trade-off. They shouldn’t have to. According to a 2026 security report, 92% of enterprises deploying AI agents lack audit logs for autonomous agent actions. No logs means no visibility, which means no accountability when something goes wrong.

What NVIDIA OpenShell Is

OpenShell is an open-source, policy-driven sandbox runtime for autonomous AI agents, released by NVIDIA under Apache 2.0 at GTC 2026. It runs agents inside kernel-level sandboxes governed by declarative YAML policies. You define exactly what the agent can read, write, and connect to — and the kernel enforces it, not a wrapper library that the agent could theoretically bypass.

The project lives at github.com/NVIDIA/OpenShell. It’s currently at v0.0.47, still alpha, and the documentation is honest about what it is: proof-of-life, single-developer mode, rough edges expected.

How It Actually Works

OpenShell stacks three Linux kernel security mechanisms to create defense-in-depth:

  • Seccomp — syscall filtering. Blocks dangerous system calls like ptrace, mount, and raw socket creation. If the agent process attempts a blocked syscall, the kernel kills it immediately. No exceptions.
  • Landlock LSM — filesystem restrictions, introduced in Linux 5.13. Every sandboxed process and its children can only access the filesystem paths explicitly listed in the policy. Everything else is inaccessible at the kernel level, not by convention.
  • Network namespaces — the sandbox runs in an isolated network namespace with a proxy gateway. Even if an agent ignores proxy environment variables, it can only reach the proxy. All outbound traffic is default-deny unless explicitly allowed in the policy.

The key differentiator over plain Docker is per-binary network ACLs. Only the claude binary is permitted to connect to api.anthropic.com — not every process in the container. If something other than Claude tries to make that call, it gets blocked. This matters more than it sounds when you consider that prompt injection attacks frequently work by getting an agent to invoke secondary tools that exfiltrate data.

The Policy Is Just YAML

Policies are declarative YAML files. Static sections (filesystem, process) lock at sandbox creation. Dynamic sections (network, inference) can be hot-reloaded while the sandbox is running — useful when you want to tighten or expand network access without restarting the agent.

A minimal policy looks like this:

filesystem_policy:
  include_workdir: true
  read_only:
    - /usr
    - /lib
    - /etc
  read_write:
    - /sandbox
    - /tmp

network_policies:
  anthropic_api:
    endpoints:
      - host: api.anthropic.com
        port: 443
    binaries:
      - path: /usr/local/bin/claude

The include_workdir: true flag grants the agent read-write access to the current working directory. Everything outside the listed paths is off-limits. The full policy schema reference is at docs.nvidia.com/openshell/reference/policy-schema. Version-control the YAML alongside your project — treat it like an infrastructure-as-code contract for what your agent is allowed to do.

Getting Running in Two Commands

The install and first run are faster than most security tooling has any right to be:

curl -fsSL https://get.openshell.nvidia.com | sh
openshell sandbox create -- claude

If ANTHROPIC_API_KEY is set in your environment, OpenShell detects it automatically, creates a credential provider, and injects it into the sandbox. The default policy shipped with the community base image already covers Claude Code’s required endpoints — no custom policy needed to start. Full quickstart at docs.nvidia.com/openshell/get-started/quickstart.

For GPU access add the --gpu flag. For Codex or other agents, OpenShell auto-discovers credentials for Claude, Codex, OpenCode, and Copilot from your shell environment.

What It Doesn’t Do

OpenShell is not a complete security solution. It stops the sandbox from reaching outside itself — it does not prevent inference-level prompt injection (that’s a separate problem requiring input validation and output filtering). It does not protect against a malicious base image. And it only runs on Linux with kernel 5.13 or newer. macOS and Windows are not supported; the kernel-level mechanisms it relies on are Linux-specific.

Enterprise teams should also note: multi-tenant deployment is on the roadmap but not shipping. Right now this is a single-developer, single-environment tool. The policy schema is still evolving — don’t build hard dependencies on the YAML structure in production automation yet.

The Bottom Line

OpenShell fills a gap that’s been obvious for two years but nobody shipped a clean solution for: you shouldn’t have to choose between agent capability and agent containment. The two-command setup is fast enough that there’s no good reason not to run it during local development. For CI/CD and production agent pipelines on Linux infrastructure, it’s close to mandatory.

The alpha caveats are real. But the kernel-level enforcement is real too. Use it now for local dev and experimental pipelines. Follow the GitHub for the policy schema stabilization — that’s the milestone that makes this production-safe. The NVIDIA technical blog post has the deeper architecture walkthrough if you want to understand the enforcement order under the hood.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *