Key takeaways
- All-in-one Docker container combining browser, shell, file system, VSCode, Jupyter, and MCP — no multi-container orchestration needed
- ByteDance-affiliated project with 3.4K+ GitHub stars and multi-language SDKs (Python, TypeScript, Go)
- Unified file system means files downloaded in browser are instantly available in shell/code — solves the cross-sandbox coordination problem
FAQ
What is AIO Sandbox?
An open-source Docker container that bundles browser (VNC + CDP), shell, file system, VSCode Server, Jupyter, and MCP servers into a single unified environment for AI agents.
How does AIO Sandbox differ from E2B or Daytona?
AIO Sandbox is a single Docker container with everything pre-configured — browser, IDE, terminal, MCP. E2B focuses on ephemeral Firecracker VMs, Daytona on fast creation with Computer Use. AIO trades isolation strength for integration simplicity.
Who built AIO Sandbox?
The Agent Infra team, affiliated with ByteDance. The same org behind UI-TARS-desktop, ByteDance's multimodal AI agent stack.
Is AIO Sandbox production-ready?
It ships versioned Docker images and SDKs, but uses Docker-level isolation (weaker than Firecracker/microVM). Good for development and self-hosted deployments; evaluate security posture for production use.
Executive Summary
AIO Sandbox is an open-source, all-in-one sandbox environment for AI agents that packages browser automation, shell execution, file operations, VSCode Server, Jupyter Notebook, and MCP servers into a single Docker container. Built by the Agent Infra team (affiliated with ByteDance), it solves the integration problem that plagues multi-container sandbox setups: everything shares one file system, so a file downloaded in the browser is instantly available in the terminal or IDE.
| Attribute | Value |
|---|---|
| GitHub | agent-infra/sandbox |
| Stars | 3.4K+ |
| Forks | 276+ |
| License | Apache 2.0 |
| Language | Python (primary), TypeScript, Go SDKs |
| Isolation | Docker container |
| Founded by | Agent Infra team (ByteDance-affiliated) |
| First Release | 2025 |
What It Does
AIO Sandbox bundles six capabilities into one container:
- Browser — Full Chromium with VNC (visual), CDP (programmatic), and MCP (high-level) interfaces
- Shell — Command execution via REST API and WebSocket terminal
- File System — Read/write/list operations, shared across all components
- VSCode Server — Full IDE in the browser
- Jupyter Notebook — Interactive Python environment
- MCP Servers — Pre-configured Model Context Protocol servers for browser, file, shell, and document processing (Markitdown)
All accessible from a single port (8080) with a unified REST API.
Architecture
┌─────────────────────────────────────────────────┐
│ 🌐 Browser + VNC │
├─────────────────────────────────────────────────┤
│ 💻 VSCode Server │ 🐚 Shell │ 📁 File Ops │
├─────────────────────────────────────────────────┤
│ 🔗 MCP Hub + 🔒 Sandbox Fusion │
├─────────────────────────────────────────────────┤
│ 🚀 Preview Proxy + 📊 Service Monitoring │
└─────────────────────────────────────────────────┘
The key architectural insight is the unified file system. Traditional agent setups might use separate containers for browser, code execution, and file storage, creating friction when passing data between them. AIO eliminates this — download a file in the browser, process it in Jupyter, serve it from the terminal, all without volume mounts or file transfers.
Quick Start
One command:
docker run --security-opt seccomp=unconfined --rm -it -p 8080:8080 ghcr.io/agent-infra/sandbox:latest
Then access:
- API Docs:
http://localhost:8080/v1/docs - VNC Browser:
http://localhost:8080/vnc/index.html?autoconnect=true - VSCode:
http://localhost:8080/code-server/ - MCP:
http://localhost:8080/mcp
SDK Support
SDKs available for three languages:
Python:
pip install agent-sandbox
TypeScript/JavaScript:
npm install @agent-infra/sandbox
Go:
go get github.com/agent-infra/sandbox-sdk-go
All three provide typed clients for shell execution, file operations, browser automation, and Jupyter code execution.
API Surface
| Endpoint | Description |
|---|---|
/v1/sandbox | Environment info |
/v1/shell/exec | Execute shell commands |
/v1/file/read | Read file contents |
/v1/file/write | Write file contents |
/v1/browser/screenshot | Browser screenshot |
/v1/jupyter/execute | Execute Jupyter code |
MCP servers expose higher-level tools:
| Server | Tools |
|---|---|
| browser | navigate, screenshot, click, type, scroll |
| file | read, write, list, search, replace |
| shell | exec, create_session, kill |
| markitdown | convert, extract_text, extract_images |
ByteDance Connection
AIO Sandbox is maintained by the Agent Infra organization on GitHub, which is affiliated with ByteDance. ByteDance's UI-TARS-desktop project (29K+ stars) migrated from its internal sandbox to agent-infra/sandbox, providing a strong signal of internal adoption and continued investment.
This positions AIO Sandbox as a byproduct of ByteDance's broader AI agent infrastructure — not a startup product, but an internal tool open-sourced for community use.
Strengths
- True all-in-one — Browser, IDE, terminal, Jupyter, MCP in one container. No orchestration needed.
- Unified file system — Cross-component workflows just work. No volume mounts between containers.
- MCP-native — Pre-configured MCP servers make it plug-and-play for agent frameworks.
- Multi-language SDKs — Python, TypeScript, Go cover most agent ecosystems.
- Zero config — One
docker runand everything is available. - Active development — Regular releases (v1.0.0.152+), ByteDance backing.
Weaknesses
- Docker-level isolation only — Weaker than Firecracker (E2B), libkrun (Microsandbox), or gVisor (Modal). Not suitable for running untrusted code from the internet without additional hardening.
- Single container = single point of failure — Everything goes down together. No independent scaling of components.
- No ephemeral/checkpoint model — No built-in snapshotting or checkpoint/restore like Sprites or Runloop.
- No cloud offering — Self-hosted only. No managed service option.
- No GPU support — CPU-only execution.
- ByteDance affiliation — May face scrutiny in some enterprise procurement processes (geopolitical considerations).
Competitive Position
| Feature | AIO Sandbox | E2B | Daytona | OpenSandbox |
|---|---|---|---|---|
| Browser | ✅ VNC + CDP + MCP | — | ✅ Computer Use | ✅ VNC |
| IDE | ✅ VSCode + Jupyter | — | ✅ VS Code | ✅ VS Code |
| MCP | ✅ Built-in | — | — | — |
| Isolation | Docker | Firecracker | Docker | Docker/K8s |
| Managed Cloud | — | ✅ | ✅ | — |
| SDKs | Python, TS, Go | Python, JS, Go | Python, TS | Python, Java, TS, C# |
| Stars | 3.4K | 10K+ | 28K+ | 2K+ |
AIO Sandbox's niche is the integrated experience — it's the only option where browser, IDE, terminal, Jupyter, and MCP all share a file system out of the box. The trade-off is weaker isolation and no managed cloud option.
Best For
- Agent developers wanting a single-container dev/test environment with everything pre-configured
- Teams using MCP who want browser + shell + file MCP servers without setup
- ByteDance ecosystem users building on UI-TARS or related agent frameworks
- Self-hosted deployments where Docker isolation is acceptable
Not Ideal For
- Production execution of untrusted code — Docker isolation is insufficient; use E2B or Microsandbox
- Massive scale — No managed cloud, no Kubernetes-native orchestration (unlike OpenSandbox)
- Enterprise procurement — No SOC2, no managed offering, ByteDance affiliation may complicate
- GPU workloads — No GPU support; use Modal or Northflank
Bottom Line
AIO Sandbox is a well-executed "kitchen sink" sandbox — everything an AI agent needs in one Docker container. The unified file system and pre-configured MCP servers are genuinely useful differentiators that solve real integration pain. The ByteDance backing (via UI-TARS adoption) suggests sustained investment. The main limitation is Docker-level isolation, which makes it better suited for development and trusted-code scenarios than for running arbitrary untrusted code in production.
Research by Ry Walker Research