← 返回
未分类 中文

Alfred OpenShell Sandbox

Provides isolated sandboxes using NVIDIA OpenShell for secure code execution, security scans, debugging, and test running with resource and network restricti...
使用 NVIDIA OpenShell 提供隔离沙箱,确保安全代码执行、安全扫描、调试及测试运行,并对资源和网络进行限制。
lllljokerllll sabatech-dev 来源
未分类 clawhub v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 340
下载
💾 0
安装
1
版本
#isolation#latest#nvidia#openshell#sandbox#security

概述

OpenShell Sandbox Skill

Secure execution environment for specialist agents using NVIDIA OpenShell.

Overview

OpenShell provides sandboxed containers with Landlock LSM + seccomp + network namespaces + L7 policy engine. Each specialist agent gets an isolated sandbox for safe code execution.

Sandboxes Available

SandboxAgentPurposeStatus
---------------------------------
coder-sandboxcoderCode execution, builds, testsReady
security-sandboxsecurityPentesting, security scansReady
debug-sandboxdebugBug reproduction, diagnosisReady
test-sandboxqa-testerTest executionReady

CLI Reference

# List all sandboxes
openshell sandbox list

# Execute command in sandbox
openshell sandbox exec -n <sandbox-name> -- <command> [args...]

# Interactive shell
openshell sandbox connect -n <sandbox-name>

# Create new sandbox
openshell sandbox create --name <name>

# Delete sandbox
openshell sandbox delete <name>

# View logs
openshell logs -n <sandbox-name>

# Gateway status
openshell status

# Diagnose issues
openshell doctor check

Agent Integration

For Coder Agent

When executing code that could affect the host system:

# Instead of running locally:
python3 script.py

# Run in sandbox:
openshell sandbox exec -n coder-sandbox -- python3 /workspace/script.py

For Security Agent

When running security tools or scans:

# Run nmap, nikto, etc. in isolated sandbox
openshell sandbox exec -n security-sandbox -- nmap -sV target

For Debug Agent

When reproducing bugs or testing fixes:

openshell sandbox exec -n debug-sandbox -- node test.js

For QA-Tester

When running test suites:

openshell sandbox exec -n test-sandbox -- pytest tests/

File Transfer

To copy files between host and sandbox:

# Copy file INTO sandbox (via exec cat)
cat local_file.py | openshell sandbox exec -n coder-sandbox -- tee /workspace/local_file.py

# Copy file FROM sandbox
openshell sandbox exec -n coder-sandbox -- cat /workspace/result.txt > local_result.txt

Policies

Default policies apply L7 network restrictions. To view/modify:

openshell policy list

Resource Limits

  • CPU: Shared with host (24GB RAM server)
  • Network: Restricted by L7 policy (no outbound by default)
  • Disk: Ephemeral (deleted with sandbox)
  • Timeout: 30 min default per exec command

Troubleshooting

  • Sandbox not found: Run openshell sandbox list to check status
  • Gateway down: Run openshell status and openshell doctor check
  • Permission denied: Sandboxes run as unprivileged user
  • Network blocked: Default policy denies outbound; use openshell policy to modify

Architecture

Host (Ubuntu ARM64)
  └── OpenShell Gateway (Docker + k3s)
       ├── coder-sandbox (aarch64, Python 3.13, Node 22)
       ├── security-sandbox (aarch64)
       ├── debug-sandbox (aarch64)
       └── test-sandbox (aarch64)

Version

  • OpenShell CLI: 0.0.35
  • Base image: ghcr.io/nvidia/openshell-community/sandboxes/base:latest
  • Platform: aarch64 (ARM64)

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-05-07 21:31 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

OpenClaw Backup

alex3alex
备份与恢复 OpenClaw 数据。适用于创建备份、设置自动备份计划、从备份恢复或管理备份轮转。处理 ~/.openclaw 目录归档并包含适当的排除规则。
★ 90 📥 31,074
it-ops-security

Free Ride - Unlimited free AI

shaivpidadi
管理OpenClaw的OpenRouter免费AI模型,自动按质量排名模型,配置速率限制备用方案,并更新opencla...
★ 472 📥 78,580
ai-agent

Alfred Rolling Summarization

lllljokerllll
每15轮或工具循环时主动更新简洁的会话摘要,以管理上下文大小并保留关键决策和进度。
★ 0 📥 512