🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
BytesAgain β€Ί Skills β€Ί Alfred OpenShell Sandbox
πŸ¦€ ClawHub

Alfred OpenShell Sandbox

by @sabatech-dev

Provides isolated sandboxes using NVIDIA OpenShell for secure code execution, security scans, debugging, and test running with resource and network restricti...

Versionv1.0.0
Downloads269
#coding#legal
TERMINAL
clawhub install alfred-openshell-sandbox

πŸ“– About This Skill

OpenShell Sandbox Skill

Secure execution environment for specialist agents using NVIDIA OpenShell.

Overview

OpenShell provides sandboxed containers with Landlock LSM + seccomp + network namespaces + L7 policy engine. Each specialist agent gets an isolated sandbox for safe code execution.

Sandboxes Available

| Sandbox | Agent | Purpose | Status | |---------|-------|---------|--------| | coder-sandbox | coder | Code execution, builds, tests | Ready | | security-sandbox | security | Pentesting, security scans | Ready | | debug-sandbox | debug | Bug reproduction, diagnosis | Ready | | test-sandbox | qa-tester | Test execution | Ready |

CLI Reference

# List all sandboxes
openshell sandbox list
Execute command in sandbox

openshell sandbox exec -n  --  [args...]
Interactive shell

openshell sandbox connect -n 
Create new sandbox

openshell sandbox create --name 
Delete sandbox

openshell sandbox delete 
View logs

openshell logs -n 
Gateway status

openshell status
Diagnose issues

openshell doctor check

Agent Integration

For Coder Agent

When executing code that could affect the host system: 
# Instead of running locally:
python3 script.py
Run in sandbox:

openshell sandbox exec -n coder-sandbox -- python3 /workspace/script.py

For Security Agent

When running security tools or scans: 
# Run nmap, nikto, etc. in isolated sandbox
openshell sandbox exec -n security-sandbox -- nmap -sV target

For Debug Agent

When reproducing bugs or testing fixes: 
openshell sandbox exec -n debug-sandbox -- node test.js

For QA-Tester

When running test suites: 
openshell sandbox exec -n test-sandbox -- pytest tests/

File Transfer

To copy files between host and sandbox: 

# Copy file INTO sandbox (via exec cat)
cat local_file.py | openshell sandbox exec -n coder-sandbox -- tee /workspace/local_file.py
Copy file FROM sandbox

openshell sandbox exec -n coder-sandbox -- cat /workspace/result.txt > local_result.txt

Policies

Default policies apply L7 network restrictions. To view/modify: 

openshell policy list

Resource Limits

  • CPU: Shared with host (24GB RAM server)
  • Network: Restricted by L7 policy (no outbound by default)
  • Disk: Ephemeral (deleted with sandbox)
  • Timeout: 30 min default per exec command

    • Troubleshooting

  • Sandbox not found: Run openshell sandbox list to check status
  • Gateway down: Run openshell status and openshell doctor check
  • Permission denied: Sandboxes run as unprivileged user
  • Network blocked: Default policy denies outbound; use openshell policy to modify

    • Architecture

    Host (Ubuntu ARM64)
  └── OpenShell Gateway (Docker + k3s)
       β”œβ”€β”€ coder-sandbox (aarch64, Python 3.13, Node 22)
       β”œβ”€β”€ security-sandbox (aarch64)
       β”œβ”€β”€ debug-sandbox (aarch64)
       └── test-sandbox (aarch64)

    Version

  • OpenShell CLI: 0.0.35
  • Base image: ghcr.io/nvidia/openshell-community/sandboxes/base:latest
  • Platform: aarch64 (ARM64)

    • πŸ“‹ Tips & Best Practices

  • Sandbox not found: Run openshell sandbox list to check status
  • Gateway down: Run openshell status and openshell doctor check
  • Permission denied: Sandboxes run as unprivileged user
  • Network blocked: Default policy denies outbound; use openshell policy to modify