NVIDIA OpenShell

Why a Dedicated Execution Environment for Agents Is Needed

AI agents write code, install packages, and rewrite configuration files—continuously modifying their own working environment. While ordinary Docker containers are primarily designed to isolate applications, OpenShell specializes in safely running these "agents that keep changing their environment." Its defining characteristic is "out-of-process" enforcement: rather than constraining agents through prompts (behavioral instructions), it imposes restrictions on the environment itself in which the agent operates. Because the constraints take effect outside the agent, they cannot be overridden by the agent itself—even if the agent is compromised. NVIDIA has released it as open source under the Apache 2.0 license, and the source code is available at github.com/NVIDIA/OpenShell.

Four Protection Domains and Kernel-Level Isolation

OpenShell implements a multi-layered defense across four domains—filesystem, network, process, and inference—to prevent credential theft, data exfiltration, privilege escalation, and unauthorized transmission to unapproved models, respectively. Filesystem isolation uses the Linux kernel's Landlock LSM, while process restriction relies on seccomp. The inference domain functions as a privacy router, keeping sensitive context local with open models and forwarding to frontier models only when policy permits. Policies are written in declarative YAML; filesystem and process rules are fixed at creation time, while network and inference rules support hot-reloading during runtime. The principle of least privilege—"deny by default, explicitly allow only what is necessary"—aligns with the concept of privacy by isolation, which protects data through physical segregation.

Supported Agents and Use Cases

The CLI automatically detects credentials for recognized agents (Claude Code, Codex, OpenCode, etc.) from the shell environment, meaning most agents can be run inside the sandbox without any code modifications. Container backends support Docker and Podman, as well as MicroVMs such as the lightweight virtual machine Firecracker. The more autonomy an agent is granted, the more critical the design of guardrails and containment becomes. Our standard approach is to first verify behavior in a small sandbox, then gradually expand the policy. Detailed setup instructions are provided in the related article: "What Is NVIDIA OpenShell? A Quick-Start Guide to a Sandbox for Running AI Agents Safely."