AIO Sandbox | Ry Walker Research

Key takeaways

All-in-one Docker container combining browser, shell, file system, VSCode, Jupyter, and MCP — no multi-container orchestration needed
ByteDance-affiliated project with 5K+ GitHub stars and multi-language SDKs (Python, TypeScript, Go)
Unified file system means files downloaded in browser are instantly available in shell/code — solves the cross-sandbox coordination problem
v1.9.3 (May 2026) aligned versioning to SemVer and added a built-in `aio` CLI, stateful Bash API, file watching, and desktop recording — a 2.0 refactor is announced but not yet shipped

FAQ

What is AIO Sandbox?

An open-source Docker container that bundles browser (VNC + CDP), shell, file system, VSCode Server, Jupyter, and MCP servers into a single unified environment for AI agents.

How does AIO Sandbox differ from E2B or Daytona?

AIO Sandbox is a single Docker container with everything pre-configured — browser, IDE, terminal, MCP. E2B focuses on ephemeral Firecracker VMs, Daytona on fast creation with Computer Use. AIO trades isolation strength for integration simplicity.

Who built AIO Sandbox?

The Agent Infra team, affiliated with ByteDance. The same org behind UI-TARS-desktop, ByteDance's multimodal AI agent stack.

Is AIO Sandbox production-ready?

It ships versioned Docker images (v1.9.3, SemVer as of May 2026) and SDKs, but uses Docker-level isolation (weaker than Firecracker/microVM) and distributes linux/amd64 images only. Good for development and self-hosted deployments; evaluate security posture for production use.

Is there a managed cloud version of AIO Sandbox?

No managed SaaS exists as of June 2026. It remains self-hosted; the docs describe one-click deployment to ByteDance's Volcano Engine function compute as the recommended public-cloud path.

Executive Summary

AIO Sandbox is an open-source, all-in-one sandbox environment for AI agents that packages browser automation, shell execution, file operations, VSCode Server, Jupyter Notebook, and MCP servers into a single Docker container. Built by the Agent Infra team (affiliated with ByteDance), it solves the integration problem that plagues multi-container sandbox setups: everything shares one file system, so a file downloaded in the browser is instantly available in the terminal or IDE. As of June 2026 the project sits at 5,047 stars and 448 forks, with its latest release (v1.9.3) shipped May 29, 2026.

Attribute	Value
GitHub	agent-infra/sandbox
Stars	5K+ (5,047 as of June 2026)
Forks	448
License	Apache 2.0
Language	Python (primary), TypeScript, Go SDKs
Isolation	Docker container
Founded by	Agent Infra team (ByteDance-affiliated)
First Release	2025
Latest Release	v1.9.3 (May 29, 2026)

What It Does

AIO Sandbox bundles six capabilities into one container:

Browser — Full Chromium with VNC (visual), CDP (programmatic), and MCP (high-level) interfaces
Shell — Command execution via REST API and WebSocket terminal
File System — Read/write/list operations, shared across all components
VSCode Server — Full IDE in the browser
Jupyter Notebook — Interactive Python environment
MCP Servers — Pre-configured Model Context Protocol servers for browser, file, shell, and document processing (Markitdown)

All accessible from a single port (8080) with a unified REST API.

What's New (as of June 2026)

The v1.9.3 release (May 29, 2026) aligned the project to semantic versioning — a cumulative jump from the old 1.0.0.152 scheme — and is described by the maintainers as a consolidation release before an announced 2.0 refactor. Highlights:

Built-in aio CLI — agents can access browser, GUI, file, sandbox, MCP, and skills capabilities directly from the shell
Stateful Bash API (/v1/bash/*) — separated stdout/stderr, stdin writing, process control, output polling, and session management designed for agent workflows
Real-time file watching — SSE, long polling, and blocking-wait modes for file/directory events
Desktop recording — capture the X11 desktop as MP4
Proxy Mapping on GOST v3 — domain/IP/port mapping, HTTPS mapping, header-based routing, proxy auth, health checks
Runtime expansion — multiple Node.js versions, Go, bun, yarn, plus fonts and system deps for browser rendering
MCP Hub rework — extensible MCP servers, tool search, skill loading and registration

The project also launched an official documentation site at sandbox.agent-infra.com and picked up trade-press coverage in March 2026. One caveat: the image is distributed for linux/amd64 only; ARM machines must run it under emulation. Still no managed cloud offering — the docs point to one-click deployment on ByteDance's Volcano Engine function compute as the recommended public-cloud path.

Architecture

┌─────────────────────────────────────────────────┐
│ 🌐 Browser + VNC                                │
├─────────────────────────────────────────────────┤
│ 💻 VSCode Server │ 🐚 Shell │ 📁 File Ops      │
├─────────────────────────────────────────────────┤
│ 🔗 MCP Hub + 🔒 Sandbox Fusion                  │
├─────────────────────────────────────────────────┤
│ 🚀 Preview Proxy + 📊 Service Monitoring        │
└─────────────────────────────────────────────────┘

The key architectural insight is the unified file system. Traditional agent setups might use separate containers for browser, code execution, and file storage, creating friction when passing data between them. AIO eliminates this — download a file in the browser, process it in Jupyter, serve it from the terminal, all without volume mounts or file transfers.

Quick Start

One command:

docker run --security-opt seccomp=unconfined --rm -it -p 8080:8080 ghcr.io/agent-infra/sandbox:latest

Then access:

API Docs: http://localhost:8080/v1/docs
VNC Browser: http://localhost:8080/vnc/index.html?autoconnect=true
VSCode: http://localhost:8080/code-server/
MCP: http://localhost:8080/mcp

SDK Support

SDKs available for three languages:

Python:

pip install agent-sandbox

TypeScript/JavaScript:

npm install @agent-infra/sandbox

Go:

go get github.com/agent-infra/sandbox-sdk-go

All three provide typed clients for shell execution, file operations, browser automation, and Jupyter code execution.

API Surface

Endpoint	Description
`/v1/sandbox`	Environment info
`/v1/shell/exec`	Execute shell commands
`/v1/file/read`	Read file contents
`/v1/file/write`	Write file contents
`/v1/browser/screenshot`	Browser screenshot
`/v1/jupyter/execute`	Execute Jupyter code

MCP servers expose higher-level tools:

Server	Tools
browser	navigate, screenshot, click, type, scroll
file	read, write, list, search, replace
shell	exec, create_session, kill
markitdown	convert, extract_text, extract_images

ByteDance Connection

AIO Sandbox is maintained by the Agent Infra organization on GitHub, which is affiliated with ByteDance. ByteDance's UI-TARS-desktop project (36K+ stars as of June 2026) migrated from its internal sandbox to agent-infra/sandbox, providing a strong signal of internal adoption and continued investment.

This positions AIO Sandbox as a byproduct of ByteDance's broader AI agent infrastructure — not a startup product, but an internal tool open-sourced for community use.

Strengths

True all-in-one — Browser, IDE, terminal, Jupyter, MCP in one container. No orchestration needed.
Unified file system — Cross-component workflows just work. No volume mounts between containers.
MCP-native — Pre-configured MCP servers make it plug-and-play for agent frameworks.
Multi-language SDKs — Python, TypeScript, Go cover most agent ecosystems.
Zero config — One docker run and everything is available.
Active development — v1.9.3 shipped May 2026 with a 2.0 refactor announced; ByteDance backing.

Weaknesses

Docker-level isolation only — Weaker than Firecracker (E2B), libkrun (Microsandbox), or gVisor (Modal). Not suitable for running untrusted code from the internet without additional hardening.
Single container = single point of failure — Everything goes down together. No independent scaling of components.
No ephemeral/checkpoint model — No built-in snapshotting or checkpoint/restore like Sprites or Runloop.
No cloud offering — Self-hosted only as of June 2026. No managed service option; the closest path is one-click deployment to ByteDance's Volcano Engine function compute.
amd64-only image — No native ARM image; Apple Silicon and Graviton hosts run under emulation.
No GPU support — CPU-only execution.
ByteDance affiliation — May face scrutiny in some enterprise procurement processes (geopolitical considerations).

What Developers Say

Independent community commentary on AIO Sandbox is still thin — most discussion comes from the maintainers themselves or aggregator coverage. The Hacker News launch thread drew little engagement beyond the maintainer's own framing:

"Most 'AI Agents' today are limited by fragmented environments: a browser here, a shell there, some ephemeral code sandbox in the cloud — each isolated, slow, and brittle." — ycjcl868 (maintainer), Hacker News

Broader skepticism about the crowded sandbox category applies here too. From an Ask HN thread surveying the space:

"A tool so good that it requires 37 different sandboxes" — ex-aws-dude, Hacker News

"They work, but with tradeoffs. MicroVMs are secure but slower & costly. WASM is fast & cheap but limited. Ultimately, to date, there isn't a perfect solution." — QubridAI, Hacker News

No substantive third-party reviews of AIO Sandbox specifically were found on Reddit or X as of June 2026 — adoption signals remain mostly star counts and the UI-TARS migration rather than independent practitioner testimony.

Competitive Position

Feature	AIO Sandbox	E2B	Daytona	OpenSandbox
Browser	✅ VNC + CDP + MCP	—	✅ Computer Use	✅ VNC
IDE	✅ VSCode + Jupyter	—	✅ VS Code	✅ VS Code
MCP	✅ Built-in	—	—	—
Isolation	Docker	Firecracker	Docker	Docker/K8s
Managed Cloud	—	✅	✅	—
SDKs	Python, TS, Go	Python, JS, Go	Python, TS	Python, Java, TS, C#
Stars	5K+	10K+	28K+	2K+

AIO Sandbox's niche is the integrated experience — it's the only option where browser, IDE, terminal, Jupyter, and MCP all share a file system out of the box. The trade-off is weaker isolation and no managed cloud option.

Best For

Agent developers wanting a single-container dev/test environment with everything pre-configured
Teams using MCP who want browser + shell + file MCP servers without setup
ByteDance ecosystem users building on UI-TARS or related agent frameworks
Self-hosted deployments where Docker isolation is acceptable

Not Ideal For

Production execution of untrusted code — Docker isolation is insufficient; use E2B or Microsandbox
Massive scale — No managed cloud, no Kubernetes-native orchestration (unlike OpenSandbox)
Enterprise procurement — No SOC2, no managed offering, ByteDance affiliation may complicate
GPU workloads — No GPU support; use Modal or Northflank

Bottom Line

AIO Sandbox is a well-executed "kitchen sink" sandbox — everything an AI agent needs in one Docker container. The unified file system and pre-configured MCP servers are genuinely useful differentiators that solve real integration pain, and the project is demonstrably alive: stars grew from ~3.4K to 5K+ between March and June 2026, and v1.9.3 added a built-in CLI, stateful Bash API, file watching, and desktop recording. The main limitation is unchanged: Docker-level isolation makes it better suited for development and trusted-code scenarios than for running arbitrary untrusted code in production.

Recommended for: agent developers who want a zero-config, MCP-native, all-in-one dev/test environment; teams in the ByteDance/UI-TARS ecosystem; self-hosters comfortable with Docker isolation.
Not recommended for: production execution of untrusted code, teams needing a managed cloud or SOC2 paperwork, GPU workloads, or native-ARM deployments.
Outlook: Positive. SemVer alignment and the announced 2.0 refactor signal sustained ByteDance investment, but watch whether 2.0 brings stronger isolation or a managed offering — neither exists as of June 2026.

Research by Ry Walker Research

Sources