Overview of NVIDIA OpenShell#
NVIDIA OpenShell is an open-source runtime for executing autonomous AI agents in sandboxed environments with kernel-level isolation. It combines sandbox runtime controls and a declarative YAML policy so teams can run agents without giving them unrestricted access to local files, credentials, and external networks.
Why OpenShell Exists#
AI agents are most useful when they can read files, install packages, call APIs, and use credentials. That same access can create material risk. OpenShell is designed for this tradeoff: preserve agent capability while enforcing explicit controls over what the agent can access.
Common Risks and Controls#
The table below summarizes common failure modes and how OpenShell mitigates them.
Threat |
Without controls |
With OpenShell |
|---|---|---|
Data exfiltration |
Agent uploads source code or internal files to unauthorized endpoints. |
Network policies allow only approved destinations; other outbound traffic is denied. |
Credential theft |
Agent reads local secrets such as SSH keys or cloud credentials. |
Filesystem restrictions (Landlock) confine access to declared paths only. |
Unauthorized API usage |
Agent sends prompts or data to unapproved model providers. |
Privacy routing and network policies control where inference traffic can go. |
Privilege escalation |
Agent attempts |
Unprivileged process identity and seccomp restrictions block escalation paths. |
Protection Layers at a Glance#
OpenShell applies defense in depth across the following policy domains.
Layer |
What it protects |
When it applies |
|---|---|---|
Filesystem |
Prevents reads/writes outside allowed paths. |
Locked at sandbox creation. |
Network |
Blocks unauthorized outbound connections. |
Hot-reloadable at runtime. |
Process |
Blocks privilege escalation and dangerous syscalls. |
Locked at sandbox creation. |
Inference |
Reroutes model API calls to controlled backends. |
Hot-reloadable at runtime. |
For details, refer to Sandbox Policies and Customize Sandbox Policies.
Common Use Cases#
OpenShell supports a range of agent deployment patterns.
Use Case |
Description |
|---|---|
Secure coding agents |
Run Claude Code, OpenCode, or OpenClaw with constrained file and network access. |
Private enterprise development |
Route inference to self-hosted or private backends while keeping sensitive context under your control. |
Compliance and audit |
Treat policy YAML as version-controlled security controls that can be reviewed and audited. |
Reusable environments |
Use community sandbox images or bring your own containerized runtime. |
Next Steps#
Explore these topics to go deeper:
To understand the components that make up the OpenShell runtime, refer to the Architecture Overview.
To install the CLI and create your first sandbox, refer to the Quickstart.
To learn how OpenShell enforces isolation across all protection layers, refer to Sandboxes.