For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • About NVIDIA OpenShell
    • Overview
    • How It Works
    • Installation
    • Container Gateway
    • Supported Agents
    • Release Notes
  • Get Started
    • Quickstart
    • Tutorials
  • Manage OpenShell
    • Sandboxes
    • Gateways
    • Providers
    • Providers v2
    • Policies
    • Policy Advisor
    • Inference Routing
  • Observability
    • Accessing Logs
    • Logging
    • OCSF JSON Export
  • Kubernetes
    • Setup
    • Managing Certificates
    • Ingress
    • Access Control
    • OpenShift
  • Reference
    • Gateway Auth
    • Default Policy
    • Policy Schema
    • Compute Drivers
    • Gateway Config
    • Support Matrix
  • Security
    • Security Best Practices
  • Resources
    • License
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Manage My Privacy | Do Not Sell or Share My Data | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogoOpenShell
On this page
  • Why OpenShell Exists
  • Common Risks and Controls
  • Protection Layers at a Glance
  • Common Use Cases
  • Next Steps
About NVIDIA OpenShell

Overview of NVIDIA OpenShell

||View as Markdown|
Next

How OpenShell Works

NVIDIA OpenShell is an open-source runtime for executing autonomous AI agents in sandboxed environments with kernel-level isolation. It combines sandbox runtime controls and a declarative YAML policy so teams can run agents without giving them unrestricted access to local files, credentials, and external networks.

Why OpenShell Exists

AI agents are most useful when they can read files, install packages, call APIs, and use credentials. That same access can create material risk. OpenShell is designed for this tradeoff: preserve agent capability while enforcing explicit controls over what the agent can access.

Common Risks and Controls

The table below summarizes common failure modes and how OpenShell mitigates them.

ThreatWithout controlsWith OpenShell
Data exfiltrationAgent uploads source code or internal files to unauthorized endpoints.Network policies allow only approved destinations; other outbound traffic is denied.
Credential theftAgent reads local secrets such as SSH keys or cloud credentials.Filesystem restrictions (Landlock) confine access to declared paths only.
Unauthorized API usageAgent sends prompts or data to unapproved model providers.Privacy routing and network policies control where inference traffic can go.
Privilege escalationAgent attempts sudo, setuid paths, or dangerous syscall behavior.Unprivileged process identity and seccomp restrictions block escalation paths.

Protection Layers at a Glance

OpenShell applies defense in depth across the following policy domains.

LayerWhat it protectsWhen it applies
FilesystemPrevents reads/writes outside allowed paths.Locked at sandbox creation.
NetworkBlocks unauthorized outbound connections.Hot-reloadable at runtime.
ProcessBlocks privilege escalation and dangerous syscalls.Locked at sandbox creation.
InferenceReroutes model API calls to controlled backends.Hot-reloadable at runtime.

For details, refer to Customize Sandbox Policies and Default Policy.

Common Use Cases

OpenShell supports a range of agent deployment patterns.

Use CaseDescription
Secure coding agentsRun Claude Code, OpenCode, or OpenClaw with constrained file and network access.
Private enterprise developmentRoute inference to self-hosted or private backends while keeping sensitive context under your control.
Compliance and auditTreat policy YAML as version-controlled security controls that can be reviewed and audited.
Reusable environmentsUse community sandbox images or bring your own containerized runtime.

Next Steps

Explore these topics to go deeper:

  • To understand the runtime architecture, refer to How OpenShell Works.
  • To install the CLI and create your first sandbox, refer to the Quickstart.
  • To learn how OpenShell enforces policy controls across protection layers, refer to Customize Sandbox Policies.