Summary

SmolVM provides AI agents with secure, disposable virtual machine (VM) sandboxes for executing code, browsing the web, and performing tasks. It targets developers and researchers needing isolated environments for untrusted code or agent workflows, offering enhanced security and rapid VM provisioning.

How It Works

SmolVM leverages Firecracker micro-VMs for hardware-level isolation, offering superior security compared to containerization. Key features include sub-second VM boot times (~500ms), enabling ephemeral environments. It supports network egress filtering via domain allowlists, full browser sessions for agent interaction, and read-only mounting of host directories for code access.

Quick Start & Requirements

Installation is streamlined via a curl script (curl -sSL https://celesto.ai/install.sh | bash) or pip install smolvm followed by smolvm setup. Requires Python 3.10+ and runs on Linux and macOS. Linux installations may need sudo for host dependency configuration. Official documentation is available at docs.celesto.ai, and community support can be found on Slack.

Highlighted Details

• Performance: ~500ms VM creation/start, ~3.5s full lifecycle.
• Isolation: Hardware-level security via Firecracker VMs.
• Agent Interaction: Full browser sessions and host directory mounting (read-only).
• Security Controls: Network domain allowlisting for egress traffic.
• Features: Snapshots, OpenClaw for GUI apps, CLI and Python API.

Maintenance & Community

Developed by Celesto AI, the project utilizes GitHub Actions for continuous integration and testing. A community Slack channel is available for user interaction and support.

Licensing & Compatibility

Distributed under the permissive Apache 2.0 license, permitting commercial use and integration into closed-source projects.

Limitations & Caveats

Host directory mounts are currently read-only, with write-back functionality planned. The default trust model for new sandboxes is suitable for local development; production deployments require careful network security configuration, particularly when exposing sandbox ports.