OpenShell provides a secure, private runtime for autonomous AI agents, safeguarding data, credentials, and infrastructure through declarative YAML policies. It offers sandboxed execution environments that prevent unauthorized access and data exfiltration, targeting developers and researchers building secure AI agent systems. The primary benefit is enhanced operational security and data privacy for AI workloads.

How It Works

OpenShell isolates agents within containers, enforcing egress routing via a policy engine. A lightweight gateway orchestrates sandbox lifecycles. Every outbound connection is intercepted and either allowed, denied, or routed for inference, stripping sensitive credentials where necessary. The system runs as a K3s Kubernetes cluster within a single Docker container, providing defense-in-depth across filesystem, network, process, and inference layers. Network and inference policies are hot-reloadable at runtime without restarting sandboxes.

Quick Start & Requirements

• Install: Recommended binary install: curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh. Alternatively, via PyPI: uv tool install -U openshell.
• Prerequisites: Docker (Desktop or daemon) must be running. For GPU support, host NVIDIA drivers and the NVIDIA Container Toolkit are required.
• First Sandbox: openshell sandbox create -- claude (or other agents like opencode, codex).
• Links: Full Documentation, Quickstart, Architecture Docs, Support Matrix.

Highlighted Details

• Declarative YAML policies enforce filesystem, network, and process constraints.
• Hot-reloadable network and inference policies allow dynamic security updates.
• Supports passing host GPUs into sandboxes for AI workloads.
• Features an agent-first development model with built-in agent skills for project tasks.
• Includes a real-time, keyboard-driven terminal UI (TUI) for cluster monitoring.

Maintenance & Community

Discussions for questions are hosted on GitHub Discussions. Bug reports should be filed via GitHub Issues. Security vulnerabilities are handled per SECURITY.md. The project is developed using agent-driven workflows.

Licensing & Compatibility

Licensed under the Apache License 2.0. This license generally permits commercial use and integration with closed-source projects.

Limitations & Caveats

The project is currently designated as "Alpha software" and operates in "single-player mode," focusing on single-developer environments. Users should "expect rough edges" as the project builds towards multi-tenant enterprise deployments.