OpenSandbox
OpenSandbox is an open-source (Apache 2.0 License) sandbox infrastructure platform for AI applications. It lets you securely run commands, code interpreters, browsers, and developer tools in isolated environments, for coding agents, GUI/browser automation, agent evaluation, RL training, and AI code
Canonical version: OpenSandbox.
OpenSandbox is an open-source (Apache 2.0 License) sandbox infrastructure platform for AI applications. It lets you securely run commands, code interpreters, browsers, and developer tools in isolated environments, for coding agents, GUI/browser automation, agent evaluation, RL training, and AI code execution. It solves the core problem of LLM agents executing untrusted, model-generated code by wrapping isolated runtimes in a unified protocol, SDKs, a CLI, and an MCP server. Created by Alibaba; in the CNCF Landscape.
Architecture
- Control plane: Python/FastAPI server with SQLite persistence (
uvx opensandbox-server); orchestrates create/list/get/health/kill and routes to a runtime backend - In-sandbox agent: execd daemon, a Go/Gin REST daemon exposing command, file, and metrics APIs
- OpenSandbox Sandbox Protocol: the OpenAPI contract that makes runtimes pluggable
- Runtime backends: Docker (single host) and Kubernetes (distributed), with optional hardened runtimes (gVisor, Kata Containers, Firecracker microVM) for stronger host isolation
- OpenSandbox Credential Vault and a per-sandbox egress sidecar for prompt-injection-safe secrets and network policy
- Ingress gateway and a BatchSandbox Kubernetes CRD controller for pooled, pre-warmed sandboxes
Interfaces
- osb CLI (
pip install opensandbox-cli) - Five SDKs (Python, JS/TS, Java/Kotlin, Go, C#) sharing a Connect, Create, Operate, Cleanup pattern
- A Code Interpreter primitive (Python/Java/Node/Go via Jupyter inside the sandbox)
- An
opensandbox-mcpMCP server so clients like Claude Code and Cursor can drive sandboxes
Versus Docker Sandboxes
Docker Sandboxes is a microVM container engine feature. OpenSandbox sits a layer above: it treats containers (or gVisor/Kata/Firecracker) as pluggable runtimes and adds sandbox lifecycle, code-interpreter primitives, the Credential Vault, egress policy, and batch delivery. It is an AI-agent execution platform, not a container runtime.
References
- https://open-sandbox.ai/
- https://open-sandbox.ai/getting-started/
- https://open-sandbox.ai/architecture/
- https://github.com/opensandbox-group/OpenSandbox
Related
- Docker Sandboxes
- OpenSandbox Sandbox Protocol
- execd daemon
- OpenSandbox Credential Vault
- osb CLI
- AI Agents
- Agentic Engineering
- Model Context Protocol (MCP)
- Apache 2.0 License
- microVM
- Vercel Sandboxes
- Cloudflare Sandbox SDK
- Sandcastle (AI)
About Sébastien
I'm Sébastien Dubois, and I'm on a mission to help knowledge workers escape information overload. After 20+ years in IT and seeing too many brilliant minds drowning in digital chaos, I've decided to help people build systems that actually work. Through the Knowii Community, my courses, products & services and my Website/Newsletter, I share practical and battle-tested systems.
I write about Knowledge Work, Personal Knowledge Management, Note-taking, Lifelong Learning, Personal Organization, Productivity, and more. I also craft lovely digital products and tools.
If you want to follow my work, then become a member and join our community.
Ready to get to the next level?
If you're tired of information overwhelm and ready to build a reliable knowledge system:
- 📚 KM for Beginners — 10+ hours of structured video lessons
- 🚀 Obsidian Starter Kit — Ready-made vault with 40+ templates
- 💼 Knowledge Worker Kit — Complete guides + lifetime community
- 🦉 1-on-1 Coaching — Personalized guidance
- 🎯 Join Knowii — Community + ALL courses & tools
Found this valuable? Share it with someone who needs it.