OpenSandbox
Apache-2.0 sandbox runtime and SDK suite for AI agents, with Python, Java/Kotlin, JavaScript/TypeScript, C#/.NET, and Go SDKs, Docker and Kubernetes runtimes, OpenSandbox MCP server, CLI, code interpreter, filesystem and command tools, network policy, credential vault, and secure container runtime guidance.
Open the source and read safety notes before installing.
Safety notes
- OpenSandbox exposes sandbox creation, command execution, file read/write/delete/search/move, endpoint exposure, metrics, and lifecycle control; restrict who can call those tools and which images they can run.
- MCP clients can ask OpenSandbox to write files, run commands, install dependencies, expose ports, and kill or renew sandboxes. Require approval gates for high-impact workloads.
- Container and Kubernetes sandboxes are isolation boundaries, not magic safety guarantees; configure seccomp, capabilities, mounts, network egress, resource limits, image trust, and cleanup behavior.
- Credential Vault can reduce secret exposure, but injected credentials still need least privilege, rotation, audit logging, and outbound network controls.
- Security policy says only the latest release and main branch are actively supported with security updates; pin versions and plan upgrades accordingly.
Privacy notes
- Sandbox workloads can process source code, prompts, tool arguments, command output, uploaded files, generated files, environment variables, credentials, logs, metrics, endpoints, and network destinations.
- The MCP server and CLI can store API keys, domain configuration, sandbox IDs, command history, file paths, and endpoint details in local configs, shell history, logs, or MCP client state.
- Kubernetes, Docker registries, ingress gateways, credential vaults, OpenTelemetry or audit systems, and hosted OpenSandbox endpoints may retain workload metadata and outputs depending on deployment.
- Do not run untrusted code with access to private networks, production credentials, customer data, or broad egress without isolation, monitoring, and retention rules.
Prerequisites
- Python 3.10 or newer for the Python SDK, CLI, and MCP package, or the selected Java/Kotlin, JavaScript/TypeScript, .NET, or Go runtime for another SDK.
- Docker for local execution, or Kubernetes and cluster access for distributed scheduling.
- An OpenSandbox server endpoint, protocol, API key, sandbox image, timeout, network policy, and cleanup policy.
- Credential Vault and egress policy design before letting agent workloads reach external APIs or private services.
- Security review for Docker, Kubernetes, gVisor, Kata Containers, Firecracker microVMs, ingress routing, volumes, and persistent storage patterns.
Schema details
- Install type
- cli
- Troubleshooting
- No
- Scope
- Source repo
- Estimated setup
- 45 minutes
- Difficulty
- advanced
- Website
- https://open-sandbox.ai
- Pricing
- free
- Disclosure
- editorial
- Application category
- DeveloperApplication
- Operating system
- Cross-platform
Full copyable content
pip install opensandbox
pip install opensandbox-cli
pip install opensandbox-mcpAbout this resource
Overview
OpenSandbox is an Apache-2.0 sandbox platform for AI applications and agents. The project provides multi-language SDKs, a CLI, an MCP server, Docker and Kubernetes runtimes, network policy controls, credential vault support, command/file/code-interpreter environments, and guidance for secure container runtimes such as gVisor, Kata Containers, and Firecracker microVMs.
Use it when an agent needs an isolated place to run commands, write files, execute code, expose temporary services, or run workload-specific tools without handing the agent direct access to the host machine.
Install
For the Python SDK:
pip install opensandbox
For the CLI:
pip install opensandbox-cli
For MCP clients:
pip install opensandbox-mcp
opensandbox-mcp --domain localhost:8080 --protocol http
The README also documents Java/Kotlin, JavaScript/TypeScript, .NET, and Go SDK installation paths. Pick the SDK that matches the agent host and runtime.
MCP Setup
The OpenSandbox MCP server exposes sandbox lifecycle, command execution, and text file operations to MCP-capable clients. A Claude Code stdio setup uses:
claude mcp add opensandbox-sandbox --transport stdio -- \
opensandbox-mcp --api-key "$OPEN_SANDBOX_API_KEY" --domain "$OPEN_SANDBOX_DOMAIN"
The MCP docs also describe HTTP transport and Cursor configuration. Treat the MCP server as a privileged tool boundary because it can create sandboxes, run commands, read and write files, expose endpoints, and terminate workloads.
Agent Capabilities
| Area | OpenSandbox Coverage |
|---|---|
| SDKs | Python, Java/Kotlin, JavaScript/TypeScript, C#/.NET, and Go |
| CLI | osb commands for sandbox lifecycle, commands, files, egress, credential vault, diagnostics, and skills |
| MCP | opensandbox-mcp tools for sandbox create/connect/kill/list/renew/metrics, command run/interrupt, and text file operations |
| Runtime | Docker local runtime and high-performance Kubernetes runtime |
| Environments | Command, filesystem, code interpreter, browser automation, VNC, VS Code, and agent examples |
| Network | Ingress gateway, endpoint exposure, and sandbox egress controls |
| Secrets | Credential Vault for controlled outbound requests |
| Isolation | Guidance for gVisor, Kata Containers, and Firecracker microVMs |
Use Cases
- Give Claude Code, Cursor, or another MCP client a sandboxed command and file execution surface.
- Run coding-agent workloads inside Docker or Kubernetes instead of directly on a developer workstation.
- Expose a temporary service from a sandbox and return its endpoint to an agent.
- Add egress policy and credential vault controls around agent workloads.
- Run code interpreter tasks, browser automation, VNC desktops, or VS Code environments inside managed sandboxes.
- Compare OpenSandbox with E2B, Daytona, Microsandbox, and other agent sandbox infrastructure.
Source Review
Verified on 2026-06-18:
- The upstream README describes OpenSandbox as a general-purpose sandbox platform for AI applications with multi-language SDKs, unified sandbox APIs, Docker/Kubernetes runtimes, agent examples, network policy, credential vault, and secure runtime guidance.
- The README states that OpenSandbox is listed in the CNCF Landscape.
- The README documents Python, Java/Kotlin, JavaScript/TypeScript, .NET, and Go SDK installation paths.
- The README documents
osb,opensandbox-mcp, local Docker server startup, code interpreter SDK usage, and examples for Claude Code, Gemini CLI, OpenAI Codex CLI, Qwen Code, Kimi CLI, LangGraph, Google ADK, and OpenClaw. - The MCP README says the MCP server exposes sandbox lifecycle management, command execution, and text file operations to Claude Code, Cursor, and other MCP-capable clients.
- The CLI README documents sandbox creation, command execution, file upload and download, network egress policy, credential vault state, diagnostics, and OpenSandbox-specific skill installation.
- PyPI resolves
opensandboxversion0.1.11,opensandbox-cliversion0.1.1, andopensandbox-mcpversion0.1.1. - The latest GitHub release is
java/code-interpreter/v1.0.13, published on 2026-06-16. SECURITY.mddocuments supported versions, release signatures, security reporting, egress policy best practices, audit logging, and least privilege.
Safety and Privacy
OpenSandbox reduces risk by giving agents a dedicated execution environment, but it still runs real code, files, services, images, credentials, and network requests. The sandbox runtime, image source, network policy, credential vault, volume mounts, endpoint exposure, logs, and cleanup policy determine the real security boundary.
Do not treat MCP access as harmless. The MCP server exposes operations that can create workloads, write files, run commands, expose ports, and return outputs to the model. Keep sensitive workloads behind approval, least privilege, network restrictions, observability, and retention controls.
Duplicate Check
Checked current content/tools/, content/agents/, content/mcp/,
content/skills/, guides, open pull requests, and repository-wide content for
OpenSandbox, opensandbox-group/OpenSandbox, alibaba/OpenSandbox,
opensandbox, opensandbox-cli, opensandbox-mcp, OpenSandbox MCP, AI agent
sandbox runtime, Kubernetes agent sandbox, Docker agent sandbox, and code
interpreter sandbox. Existing E2B, Daytona, Microsandbox, and sandbox-security
content cover adjacent infrastructure, but no dedicated OpenSandbox tools
entry, exact source URL duplicate, target file, or open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. OpenSandbox is Apache-2.0 open-source software; hosted OpenSandbox endpoints, Kubernetes clusters, Docker registries, gVisor, Kata Containers, Firecracker microVMs, cloud providers, MCP clients, model providers, observability systems, and credential vault integrations may have separate licenses, billing, terms, privacy controls, and operational requirements.
Source citations
Add this badge to your README
Show that OpenSandbox is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/tools/opensandbox)How it compares
OpenSandbox side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | OpenSandbox Apache-2.0 sandbox runtime and SDK suite for AI agents, with Python, Java/Kotlin, JavaScript/TypeScript, C#/.NET, and Go SDKs, Docker and Kubernetes runtimes, OpenSandbox MCP server, CLI, code interpreter, filesystem and command tools, network policy, credential vault, and secure container runtime guidance. Open dossier | E2B Open-source infrastructure for running AI-generated code in secure, isolated cloud sandboxes, with Python and JavaScript SDKs, a Code Interpreter package, and self-hosting options. Open dossier | Daytona Open-source infrastructure for securely running AI-generated code in isolated sandboxes that start in milliseconds, with SDKs for Python, TypeScript, and other languages, persistent snapshots, and an optional managed cloud. Open dossier | LibreChat Self-hosted AI chat and agent platform with LibreChat Agents, MCP support, reusable Skills, Subagents, Code Interpreter, web search, artifacts, multi-provider model routing, secure multi-user auth, and Docker Compose deployment. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | tools | tools | tools | tools |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | OpenSandbox | E2B | Daytona | LibreChat |
| Added | 2026-06-18 | 2026-06-05 | 2026-06-05 | 2026-06-18 |
| Platforms | CLI | CLI | CLI | CLI |
| Source repo | — | — | — | — |
| Safety notes | ✓OpenSandbox exposes sandbox creation, command execution, file read/write/delete/search/move, endpoint exposure, metrics, and lifecycle control; restrict who can call those tools and which images they can run. MCP clients can ask OpenSandbox to write files, run commands, install dependencies, expose ports, and kill or renew sandboxes. Require approval gates for high-impact workloads. Container and Kubernetes sandboxes are isolation boundaries, not magic safety guarantees; configure seccomp, capabilities, mounts, network egress, resource limits, image trust, and cleanup behavior. Credential Vault can reduce secret exposure, but injected credentials still need least privilege, rotation, audit logging, and outbound network controls. Security policy says only the latest release and main branch are actively supported with security updates; pin versions and plan upgrades accordingly. | ✓E2B is built to execute arbitrary, AI-generated code; run such code only inside its isolated cloud sandboxes, never directly on a developer machine. Sandbox network and filesystem access depend on configuration; review and restrict sandbox capabilities before running untrusted code. Generated code can still perform destructive or unexpected actions within a sandbox, so treat sandbox outputs and side effects with caution. Self-hosting deploys cloud infrastructure via Terraform that you are responsible for securing, patching, and isolating from production systems. | ✓Daytona is purpose-built to execute arbitrary, AI-generated code; only run untrusted code inside its isolated sandboxes, never on the host. Each sandbox has its own kernel, filesystem, and network stack, but sandboxes can make outbound network requests unless network limits are configured. Sandboxes support computer use, Git operations, and command execution; scope what an agent can do and review declarative builder configurations before use. Self-hosting runs runner compute nodes and Docker services that need elevated host privileges; isolate the deployment from production systems. Persistent snapshots retain sandbox filesystem state across sessions, which can preserve secrets or sensitive files written during execution. | ✓LibreChat can combine agents, MCP servers, Skills, Subagents, file search, web search, Code Interpreter, OpenAPI actions, functions, and custom endpoints; each connected tool needs explicit permission review. The Docker Compose file starts application, MongoDB, MeiliSearch, pgvector, and RAG API services and mounts `.env`, uploads, logs, images, and skill directories. Review volumes and secrets before exposing the instance. Code Interpreter is designed for sandboxed execution, but uploaded files, generated code, network access, and language runtimes still need isolation and quota controls. MCP servers can expose read/write tools from local or remote systems. Start with read-only servers, restrict tool scopes, and review logs before enabling account, filesystem, database, browser, or infrastructure actions. Multi-user auth, sharing, presets, agents, and prompt libraries can leak capabilities between users if roles, groups, and admin settings are misconfigured. |
| Privacy notes | ✓Sandbox workloads can process source code, prompts, tool arguments, command output, uploaded files, generated files, environment variables, credentials, logs, metrics, endpoints, and network destinations. The MCP server and CLI can store API keys, domain configuration, sandbox IDs, command history, file paths, and endpoint details in local configs, shell history, logs, or MCP client state. Kubernetes, Docker registries, ingress gateways, credential vaults, OpenTelemetry or audit systems, and hosted OpenSandbox endpoints may retain workload metadata and outputs depending on deployment. Do not run untrusted code with access to private networks, production credentials, customer data, or broad egress without isolation, monitoring, and retention rules. | ✓On the managed cloud, your code and execution data are sent to and run on E2B-operated infrastructure; review their privacy terms before processing sensitive data. API keys grant access to your sandboxes; store them in environment variables or a secrets manager and never commit them to source control. Data passed into a sandbox (files, inputs, environment variables) lives in that sandbox for its lifetime; avoid sending secrets you do not need there. Self-hosting keeps execution data on your own infrastructure, making log retention, access control, and isolation your responsibility. | ✓Using the managed cloud sends your code, files, and execution data to Daytona-operated infrastructure; review their terms before processing sensitive data. The platform emits OpenTelemetry metrics, log streaming, and audit logs that can capture command output and activity. API keys grant access to your sandboxes and organization; store them as secrets and never commit them to source control. Self-hosting keeps execution data on your own infrastructure but you become responsible for log retention, access control, and isolation. | ✓Chats, prompts, file uploads, image inputs, tool calls, MCP payloads, Skills, Subagent transcripts, Code Interpreter files, RAG chunks, embeddings, message search data, logs, and exports may contain private data. Model providers, rerankers, search providers, MCP servers, custom endpoints, storage services, and analytics integrations may receive user content depending on configuration. Keep `.env`, model keys, OAuth secrets, LDAP settings, MongoDB data, MeiliSearch indexes, pgvector data, upload folders, logs, and generated artifacts out of public repos and screenshots. Before using shared agents or marketplace-style workflows, define who can view prompts, files, agent configs, Skills, MCP server definitions, and conversation exports. |
| Prerequisites |
|
|
|
|
| Install | | — | — | |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Featured in
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.