Why AI Agents Need Sandboxes (And Why It Matters Now)
AI agents have moved beyond generating text. Today's autonomous agents write code, execute shell commands, browse the web, modify filesystems, and call external APIs. This expanding autonomy creates a fundamental security problem: what happens when a poorly calibrated agent runs a destructive command on your production server?
The answer is sandboxing. Isolated execution environments let agents operate freely without ever compromising the host system. But until recently, developers faced an uncomfortable choice: pay per-minute fees for managed sandbox services, or cobble together Docker containers, manual network policies, and third-party APIs into a fragile patchwork that breaks at scale.
Alibaba has introduced a third option. OpenSandbox is an open-source, general-purpose sandbox platform built specifically for AI applications. Licensed under Apache 2.0, it has already gathered 8,700 stars and 655 forks on GitHub. It provides multi-language SDKs, a unified API, and supports both Docker for local development and Kubernetes for production deployments. This guide breaks down how it works, what makes it different, and whether it belongs in your stack.
The Real Risks of Running Agents Without Isolation
A modern AI agent connected to a terminal can theoretically perform any system operation. It can install packages, modify configuration files, open outbound network connections, or delete entire directories. If the agent misinterprets an instruction or falls victim to a prompt injection attack, the consequences range from data loss to full system compromise.
The threat scenarios are concrete. A coding agent executing a malicious script from a compromised repository. A research agent exfiltrating sensitive data through an uncontrolled HTTP request. An evaluation agent consuming all CPU resources on a shared server. Without isolation, every interaction between an agent and its execution environment is an attack surface.
Many developers try to solve this by manually launching Docker containers with restrictions. But this approach has hard limits. You need to configure network isolation per sandbox, manually manage volume mounts, implement your own timeout mechanisms, and maintain cleanup scripts to prevent orphaned container accumulation. It works for a prototype. It collapses in production.
The complexity multiplies in multi-agent architectures. When you run dozens or hundreds of agents simultaneously, each requiring its own isolated environment with specific dependencies, network rules, and resource limits, manual orchestration becomes untenable. You end up building your own sandbox management layer on top of Docker, essentially recreating what a dedicated platform should provide. This is the gap that OpenSandbox fills: a unified, production-grade execution layer between your agents and the outside world.
OpenSandbox Architecture: A Four-Layer Technical Breakdown
Layer 1: Multi-Language SDKs
OpenSandbox provides client libraries in Python, Java/Kotlin, TypeScript/JavaScript, and C#/.NET, with Go on the roadmap. Each SDK offers idiomatic interfaces for creating, managing, and destroying sandboxes programmatically. This polyglot support is a key differentiator; most competitors offer only Python and JavaScript.
Layer 2: Protocol-First Specifications
The project adopts a "protocol-first" approach built on OpenAPI specifications. Two API sets are defined: Sandbox Lifecycle APIs (creation, suspension, destruction) and Sandbox Execution APIs (commands, files, code interpreter). This standardization ensures behavior remains identical regardless of which SDK or runtime you use, and makes it possible for third-party tools to integrate without depending on a specific SDK.
Layer 3: The FastAPI Runtime Server
The runtime layer is a Python FastAPI server that manages sandbox lifecycles. Locally, it orchestrates Docker containers. In production, it handles distributed scheduling on Kubernetes. It exposes the APIs defined in the Specs layer and handles all the complexity of container creation, resource allocation, and cleanup.
Layer 4: Sandbox Instances and the execd Daemon
Each sandbox is an OCI container into which OpenSandbox injects a high-performance Go-based execution daemon called execd. This daemon interfaces with internal Jupyter kernels for stateful code execution, supports real-time output streaming via Server-Sent Events (SSE), and provides comprehensive filesystem management. The injection is transparent and works with any OCI container image as a base.
Docker vs. Kubernetes: Development to Production Without Code Changes
One of OpenSandbox's strongest selling points is infrastructure flexibility. During development, you use Docker as your runtime. Three commands get you a working environment on your local machine. In production, you switch to the Kubernetes runtime without changing a single line of application code. The same API, the same SDKs, the same behavior. This eliminates "environment drift," the insidious divergence between what works locally and what runs in production.
Isolation Options: gVisor, Kata Containers, and Firecracker
If standard Docker isolation doesn't meet your security requirements, OpenSandbox supports three hardened isolation technologies.
gVisor, developed by Google, intercepts system calls at the kernel level and executes them in a secured user space. It's fast but provides kernel-level isolation only. Kata Containers create lightweight virtual machines for each container, providing hardware-level isolation. Firecracker, Amazon's microVM technology built for AWS Lambda, delivers the highest isolation level with minimal overhead.
The choice depends on your threat model. For an internal evaluation pipeline, Docker may suffice. For a service exposed to external users submitting arbitrary code, Firecracker or Kata provide significantly stronger guarantees.
Four Sandbox Types for Four Use Cases
OpenSandbox isn't limited to code execution. The platform provides four sandbox categories designed for distinct scenarios.
Coding Agent sandboxes offer environments optimized for software development. An agent can write, test, and debug code in a fully isolated space. Integration examples with Claude Code, Gemini CLI, and OpenAI Codex are included out of the box.
GUI Agent sandboxes support full VNC desktops, enabling agents to interact with graphical user interfaces. This is essential for "computer use" tasks where an agent needs to navigate desktop applications, fill out forms, or interact with visual interfaces.
Code Execution sandboxes provide high-performance runtimes for specific scripts or computational tasks, with a built-in code interpreter based on Jupyter kernels. They support stateful sessions and real-time output streaming.
RL Training sandboxes provide isolated environments for reinforcement learning, enabling safe iterative training loops without risk to the underlying infrastructure. The included example demonstrates DQN CartPole training.
Quick-Start Guide: Your First OpenSandbox in Five Minutes
Prerequisites and Installation
You need Docker (required for local execution) and Python 3.10+. The setup is straightforward:
# Install the OpenSandbox server
uv pip install opensandbox-server
# Generate configuration for Docker runtime
opensandbox-server init-config ~/.sandbox.toml --example docker
# Start the server
opensandbox-server
Creating and Using a Sandbox in Python
Here's a complete example showing sandbox creation, command execution, file operations, and code interpretation:
import asyncio
from datetime import timedelta
from code_interpreter import CodeInterpreter, SupportedLanguage
from opensandbox import Sandbox
from opensandbox.models import WriteEntry
async def main() -> None:
# Create a sandbox with a 10-minute timeout
sandbox = await Sandbox.create(
"opensandbox/code-interpreter:v1.0.2",
entrypoint=["/opt/opensandbox/code-interpreter.sh"],
env={"PYTHON_VERSION": "3.11"},
timeout=timedelta(minutes=10),
)
async with sandbox:
# Execute a shell command
execution = await sandbox.commands.run(
"echo 'Hello OpenSandbox!'"
)
print(execution.logs.stdout[0].text)
# Write a file into the sandbox
await sandbox.files.write_files([
WriteEntry(
path="/tmp/hello.txt",
data="Hello World",
mode=644,
)
])
# Read the file back
content = await sandbox.files.read_file("/tmp/hello.txt")
print(f"Content: {content}")
# Create a code interpreter
interpreter = await CodeInterpreter.create(sandbox)
# Execute Python code
result = await interpreter.codes.run(
"""
import sys
print(sys.version)
result = 2 + 2
result
""",
language=SupportedLanguage.PYTHON,
)
print(result.result[0].text) # 4
print(result.logs.stdout[0].text) # 3.11.14
# Clean up the sandbox
await sandbox.kill()
if __name__ == "__main__":
asyncio.run(main())
The API is fully asynchronous, making it straightforward to integrate into agent pipelines managing multiple sandboxes in parallel. Each sandbox acts as a context manager, ensuring clean resource cleanup.
The code interpreter component deserves special attention. Built on Jupyter kernels, it maintains state between executions within a session, which means variables, imports, and function definitions persist across multiple code runs. This is essential for iterative agent workflows where an agent writes code, observes the output, and refines its approach. The SSE-based streaming ensures that long-running computations provide real-time feedback rather than blocking until completion.
For teams coming from source, OpenSandbox can also be cloned and run directly from the repository, which is useful for contributing or customizing the runtime behavior beyond what configuration files allow.
Integrations: Claude Code, Gemini CLI, OpenAI Codex, and Beyond
First-Class Support for Major Coding Agents
OpenSandbox doesn't operate in isolation. The project provides ready-to-use integration examples with the major agent tools on the market. Anthropic's Claude Code, Google's Gemini CLI, and OpenAI's Codex can all run inside OpenSandbox environments, gaining a secure execution layer without any modification to their source code.
The project also includes integrations with LangGraph for state-machine workflows, Google ADK (Agent Development Kit) for building Google-ecosystem agents, Moonshot AI's Kimi CLI, and iFLow CLI.
Browser and Desktop Automation
For agents that need to interact with graphical interfaces, OpenSandbox provides specialized sandbox images. The Chrome integration offers a full Chromium browser with VNC and DevTools. The Playwright integration enables programmatic browser automation. Desktop sandboxes provide a complete desktop environment accessible via VNC. And for developers, a VS Code sandbox (code-server) provides a full web-based editor.
Granular Network Controls
A frequently overlooked but security-critical feature: OpenSandbox implements per-sandbox network policies. A unified ingress gateway handles inbound routing with multiple strategies, while per-sandbox egress controls let you precisely restrict outbound connections. You can allow an agent to access a specific API while blocking all other outbound traffic, preventing data exfiltration even if the agent is compromised.
OpenSandbox vs. the Competition: Full Comparison
The AI agent sandbox market is rapidly expanding. Here's how OpenSandbox compares to the leading alternatives.
Feature | OpenSandbox | E2B | Modal | Daytona | Vercel Sandboxes |
|---|---|---|---|---|---|
License | Apache 2.0 (free) | Open source + paid cloud | Proprietary | Open source + cloud | Proprietary |
Isolation | Docker/K8s, gVisor, Kata, Firecracker | Firecracker microVMs | gVisor | Docker, Kata Containers | Firecracker microVMs |
SDKs | Python, Java/Kotlin, TS/JS, C#/.NET | Python, JavaScript, Go | Python (primarily) | Docker native | Node.js, Python |
Creation time | Seconds | 150 ms cold start | Under 2 seconds | 90 ms | Not specified |
Session duration | Configurable | 1 h (free) / 24 h (Pro) | Unlimited | Unlimited | 45 min / 5 h (Pro) |
GPU support | No | No | Yes (A100, H100) | No | No |
Self-hosting | Yes (native) | Yes | No | Yes | No |
VNC desktop | Yes | No | No | Yes (Linux/Windows/macOS) | No |
Pricing | Free (self-hosted) | From $0.05/h per sandbox | From $0.047/vCPU-h | $200 free credit | 5 CPU hours free (Hobby) |
When to Choose OpenSandbox Over E2B
E2B is the dominant player in the AI agent sandbox market, claiming adoption by 88% of Fortune 100 companies. Its strength lies in blazing-fast sandbox creation (150 ms cold starts with Firecracker) and the simplicity of its SDKs. But E2B is a managed service whose per-usage pricing can become significant at scale.
OpenSandbox is the better fit if you need full control over your infrastructure, want no dependency on a third-party service, or require SDKs in languages E2B doesn't support (Java, Kotlin, C#). Being entirely free and self-hostable is a decisive advantage for organizations with data sovereignty requirements or those running in air-gapped environments.
When to Choose Modal or Daytona Instead
Modal is the logical choice if you need GPU access for model inference or training. Its Python ecosystem is exceptionally well-designed, and its autoscaling handles over 20,000 simultaneous containers. With native support for NVIDIA A100 and H100 GPUs and per-second billing, it serves ML teams that need elastic compute. But it's proprietary and Python-centric, making it a poor fit for polyglot teams or those requiring self-hosted deployments.
Daytona stands out with persistent sandboxes, a record-setting 90 ms creation time, and computer use support with Linux, Windows, and macOS virtual desktops. Unlike OpenSandbox's ephemeral model, Daytona preserves filesystem state, environment variables, and process memory between sessions. It's a strong choice for browser automation agents and teams that want both open source and managed cloud options.
Vercel Sandboxes, currently in beta, target a different audience entirely. Built on Firecracker microVMs and deeply integrated with the Vercel ecosystem, they make sense primarily for teams already building on Vercel's platform. The free Hobby tier is generous (5 CPU hours, 5,000 sandbox creations), but the single-region deployment and limited language support (Node.js and Python only) restrict their applicability for general-purpose agent infrastructure.
What to Know Before Getting Started
Current Limitations
Despite its strengths, OpenSandbox has limitations worth understanding. The project doesn't yet offer persistent storage between sessions; sandboxes are ephemeral. There's no native GPU support, which rules out heavy training or inference workloads. SOC 2 certification, important for enterprises subject to compliance requirements, isn't mentioned. And sandbox creation time, measured in seconds rather than milliseconds, remains slower than the 90-150 ms achieved by Daytona and E2B.
Backed by Alibaba's Internal Infrastructure
Alibaba's involvement lends the project significant credibility. OpenSandbox is built on the same infrastructure Alibaba uses internally for its own large-scale AI workloads. With 767 commits and 58 releases (the latest on March 18, 2026), the project shows a sustained development cadence. The Apache 2.0 license signals genuine commitment to community adoption, without the restrictive clauses that some enterprise open-source licenses have occasionally imposed.
Who Should Use OpenSandbox?
OpenSandbox is primarily aimed at technical teams building multi-agent systems in production who want to retain control over their execution infrastructure. If you're an individual developer who just wants to run a coding agent in a sandbox, E2B with its free tier will likely be faster to set up. But if you're building an agent platform at enterprise scale, with requirements around security, multi-tenancy, and deployment on your own Kubernetes cluster, OpenSandbox provides a solid and extensible foundation with no licensing fees.
The AI agent sandbox market is still young and actively consolidating. The protocol-level standardization OpenSandbox proposes through its OpenAPI specifications for lifecycle and execution could become a decisive advantage if adopted as a de facto standard. In an ecosystem where every vendor imposes its own API, Alibaba's "protocol-first" approach may be the project's most important contribution, beyond the code itself.
