NVIDIA OpenShell

Name: NVIDIA OpenShell
Availability: OnlineOnly
Author: NVIDIA

OpenShell is a safe, private sandboxed runtime for autonomous AI agents, enforcing declarative YAML policies to prevent unauthorized file access, data exfiltration, and uncontrolled network activity.

Visit Website

At a Glance

Pricing

Open Source

Fully free and open-source under the Apache License 2.0. Use, modify, and distribute freely.

Engagement

Available On

Windows

macOS

Linux

Web

API

NVIDIASanta Clara, CAEst. 1993$4.1B raised

Listed May 2026

About NVIDIA OpenShell

OpenShell is NVIDIA's open-source, agent-first runtime that provides sandboxed execution environments for autonomous AI agents. It protects data, credentials, and infrastructure through declarative YAML policies enforced at the filesystem, network, process, and inference layers. Built primarily in Rust, OpenShell runs as a lightweight K3s Kubernetes cluster inside a single Docker container — no separate Kubernetes install required. It ships with built-in support for popular coding agents like Claude Code, Codex, OpenCode, and GitHub Copilot CLI.

Sandboxed Execution — Each agent runs in an isolated container with policy-enforced egress routing, preventing unauthorized access to host resources.
Declarative YAML Policies — Define filesystem, network, process, and inference constraints in YAML; static sections lock at creation, dynamic sections hot-reload at runtime without restarting the sandbox.
Privacy Router — Privacy-aware LLM routing strips caller credentials, injects backend credentials, and keeps sensitive context on sandbox compute.
Multi-Layer Protection — Defense-in-depth across four domains: filesystem path restrictions, outbound network blocking, privilege escalation prevention, and inference API rerouting.
Credential Providers — Named credential bundles are injected as environment variables at runtime; credentials never touch the sandbox filesystem.
GPU Support (Experimental) — Pass host NVIDIA GPUs into sandboxes for local inference or fine-tuning workloads using CDI or Docker's NVIDIA GPU request path.
Agent Skills — Built-in workflow automation skills for CLI usage, cluster debugging, policy generation, security review, and more, discoverable by any coding agent.
Terminal UI — Real-time keyboard-driven dashboard (inspired by k9s) for monitoring gateways, sandboxes, and providers with auto-refresh every two seconds.
Community Sandboxes & BYOC — Launch sandboxes from the OpenShell Community catalog, a local Dockerfile, or any container image registry using the --from flag.
Easy Install — Install via a single curl command or from PyPI using uv, then run openshell sandbox create -- claude to spin up your first sandboxed agent.

Community Discussions

Be the first to start a conversation about NVIDIA OpenShell

Share your experience with NVIDIA OpenShell, ask questions, or help others learn from your insights.

Pricing

OPEN SOURCE

Open Source (Apache 2.0)

Fully free and open-source under the Apache License 2.0. Use, modify, and distribute freely.

Sandboxed AI agent execution
Declarative YAML policy enforcement
Privacy-aware LLM routing
GPU passthrough support (experimental)
Community sandbox catalog

Capabilities

Key Features

Sandboxed container execution for AI agents
Declarative YAML policy enforcement
Hot-reloadable network and inference policies
Privacy-aware LLM routing
Filesystem, network, process, and inference protection layers
Credential provider injection (no filesystem leakage)
GPU passthrough support (experimental)
Built-in agent skills for debugging and policy generation
Real-time terminal UI (TUI) dashboard
Community sandbox catalog and BYOC support
K3s Kubernetes cluster inside a single Docker container
Support for Claude Code, Codex, OpenCode, Copilot, Ollama

Integrations

Claude Code

OpenCode

Codex (OpenAI)

GitHub Copilot CLI

OpenClaw

Ollama

Docker

K3s / Kubernetes

NVIDIA Container Toolkit

PyPI

GitHub

API Available

View Docs

Back to all tools Suggest an edit

About NVIDIA OpenShell

Sandboxed Execution — Each agent runs in an isolated container with policy-enforced egress routing, preventing unauthorized access to host resources.
Declarative YAML Policies — Define filesystem, network, process, and inference constraints in YAML; static sections lock at creation, dynamic sections hot-reload at runtime without restarting the sandbox.
Privacy Router — Privacy-aware LLM routing strips caller credentials, injects backend credentials, and keeps sensitive context on sandbox compute.
Multi-Layer Protection — Defense-in-depth across four domains: filesystem path restrictions, outbound network blocking, privilege escalation prevention, and inference API rerouting.
Credential Providers — Named credential bundles are injected as environment variables at runtime; credentials never touch the sandbox filesystem.
GPU Support (Experimental) — Pass host NVIDIA GPUs into sandboxes for local inference or fine-tuning workloads using CDI or Docker's NVIDIA GPU request path.
Agent Skills — Built-in workflow automation skills for CLI usage, cluster debugging, policy generation, security review, and more, discoverable by any coding agent.
Terminal UI — Real-time keyboard-driven dashboard (inspired by k9s) for monitoring gateways, sandboxes, and providers with auto-refresh every two seconds.
Community Sandboxes & BYOC — Launch sandboxes from the OpenShell Community catalog, a local Dockerfile, or any container image registry using the --from flag.
Easy Install — Install via a single curl command or from PyPI using uv, then run openshell sandbox create -- claude to spin up your first sandboxed agent.

NVIDIA OpenShell