Key takeaways
- Announced at GTC 2026 (March 16-19) as "the safe, private runtime for autonomous AI agents" — 7K+ GitHub stars, 842 forks, and 53 releases in under four months, shipping near-daily (v0.0.59 on June 9, 2026)
- Four declarative protection domains in version-controllable YAML: filesystem (Landlock LSM), network (OPA-evaluated proxy), process (seccomp BPF), and inference routing through a Privacy Router that keeps agent context away from unauthorized model providers
- Self-hosted policy layer, not a hosted sandbox-as-API — it competes on governance of agents you already run (Claude Code, Codex, Copilot CLI, OpenCode), not on spinning up cloud sandboxes per API call
- Canonical ships it as an Ubuntu snap (June 2026, COMPUTEX), and it is the enforcement layer under NVIDIA's NemoClaw agent stack — but NVIDIA labels it alpha, "single-player mode," with rough edges
FAQ
What is NVIDIA OpenShell?
OpenShell is NVIDIA's open-source runtime that runs autonomous AI agents inside isolated sandboxes where declarative YAML policies govern every file access, network connection, process execution, and inference call.
How much does NVIDIA OpenShell cost?
Free — Apache 2.0 licensed and self-hosted. You pay for your own infrastructure and LLM API usage; there is no hosted or paid tier.
How does OpenShell isolate agents?
Container-based sandboxes hardened with Linux kernel primitives — Landlock LSM for filesystem paths, seccomp BPF for syscall filtering, a network namespace whose only egress is an OPA-evaluated proxy — plus a Privacy Router that controls which model backends receive agent context.
How is OpenShell different from E2B?
E2B is a hosted sandbox-as-API platform that creates ephemeral Firecracker microVMs on demand; OpenShell is a self-hosted runtime and policy layer for long-lived agents on your own machines — governance over your infrastructure rather than execution on someone else's.
Executive Summary
NVIDIA OpenShell is an open-source, Rust-built runtime that answers a blunt question: what stops an autonomous agent from reading your SSH keys, exfiltrating your codebase, or calling a model provider you never approved? Its answer is per-agent isolated sandboxes governed by declarative YAML policy across four domains — filesystem, network, process execution, and inference routing — with every outbound connection intercepted by a policy engine that allows, routes, or denies it.[1] Enforcement happens at the kernel boundary: Landlock LSM locks allowed filesystem paths at sandbox creation, seccomp BPF filters dangerous syscalls, and all network egress flows through an HTTP CONNECT proxy evaluated by Open Policy Agent rules in real time.[2]
OpenShell shipped at GTC 2026 (March 16-19) and grew fast for a four-month-old project: the repository was created February 24, 2026, and by June 11 had 7,026 stars, 842 forks, 66 contributors, 858 commits, and 53 releases, with v0.0.59 published June 9 — a near-daily release cadence.[1] Canonical packaged it as an Ubuntu snap at COMPUTEX 2026, and it is the enforcement layer beneath NVIDIA's NemoClaw agent stack.[3][4] The honest framing matters: OpenShell is a self-hosted runtime and policy layer for agents you already run — not a hosted sandbox-as-API platform like E2B — and NVIDIA itself calls it alpha software in "single-player mode."[1]
| Attribute | Value |
|---|---|
| Creator | NVIDIA |
| Announced | GTC 2026 (repo created February 24, 2026)[1][2] |
| GitHub Stars | 7K+ (as of June 2026)[1] |
| Forks / Contributors | 842 / 66[1] |
| Releases | 53 (v0.0.59 on June 9, 2026)[1] |
| Language | Rust (~90% of codebase)[1] |
| License | Apache 2.0[1] |
Product Overview
OpenShell sits between an agent and the operating system. You create a sandbox, attach a YAML policy, and launch a supported agent inside it — Claude Code, Codex, OpenCode, or GitHub Copilot CLI out of the box, with community-maintained support for Ollama and Pi.[1] Credentials are injected as environment variables and never written to the sandbox filesystem; a real-time terminal UI dashboard shows what the agent is touching, and a community sandbox catalog supports bring-your-own-container images.[1]
The policy file is the product. Static sections (filesystem paths, syscall filters) lock at sandbox creation and cannot be modified by the constrained process; dynamic sections (network allowlists, inference routes) hot-reload at runtime without restarting the sandbox.[1][2] NVIDIA lists OpenShell in its Build catalog alongside its hosted model endpoints.[5]
Key Capabilities
| Capability | Description |
|---|---|
| Filesystem policy | Landlock LSM locks permitted paths at creation; un-removable by the constrained process[2] |
| Network policy | All egress through an HTTP CONNECT proxy evaluated by OPA rules; hot-reloadable allowlists[2][1] |
| Process policy | seccomp BPF syscall filtering — no privilege escalation, arbitrary sockets, or ptrace[2] |
| Inference routing | Privacy Router directs model API calls to approved backends only; agent context never reaches unauthorized providers[1][2] |
| Credential injection | Secrets passed as environment variables, never written to disk[1] |
| Observability | Real-time terminal UI dashboard over sandbox activity[1] |
| GPU passthrough | Experimental support for GPU workloads inside sandboxes[1] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
| CLI + binary | Shell-script or PyPI install, sandbox lifecycle commands | Linux, macOS builds[1] |
| Ubuntu snap | sudo snap install openshell with automated updates | Ubuntu (June 2026)[3] |
| Helm charts | Cluster deployment of gateway + sandboxes | Kubernetes[1] |
| NemoClaw stack | OpenShell as the enforcement layer under NVIDIA's agent reference stack | Apache 2.0, alpha[4] |
Technical Architecture
OpenShell has four components: a Gateway (control-plane API managing sandbox lifecycle), the Sandbox itself (isolated runtime with container supervision and policy-enforced egress), the Policy Engine (filesystem, network, and process constraints), and the Privacy Router (routes model API calls to controlled backends).[1] The codebase is ~90% Rust, and deployment ranges from a single binary to Helm charts on Kubernetes.[1]
sudo snap install openshell
openshell sandbox create
Isolation is kernel-level rather than hardware-level: Landlock policies are applied via landlock_restrict_self() and stacked across process layers, so the constrained process cannot remove them, and seccomp filters block syscall escape routes — but there is no microVM boundary like E2B's Firecracker or Microsandbox's libkrun.[2] Canonical positions the snap as a consistent runtime across DGX systems, RTX Pro workstations, and edge devices.[3]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Self-hosted: binary/PyPI, Ubuntu snap, or Kubernetes Helm charts[1][3] |
| Model(s) | Agent-agnostic — Claude Code, Codex, OpenCode, Copilot CLI; inference routed through the Privacy Router[1] |
| Isolation | Containers + Landlock LSM + seccomp BPF + network namespace with OPA proxy egress[2] |
| Open Source | Apache 2.0, Rust; docs at docs.nvidia.com/openshell[1][6] |
Strengths
- Policy as code, enforced by the kernel — declarative, human-readable, version-controllable YAML backed by Landlock and seccomp primitives the agent cannot unset; the same review rigor as any other infrastructure-as-code.[2]
- Inference routing is the novel domain — most sandboxes govern files and network; OpenShell additionally controls which model providers may receive agent context, a privacy boundary none of the hosted platforms offer.[1]
- Hot-reloadable policy — network allowlists and inference routes update at runtime without restarting sandboxes, which matters for long-lived agents.[1]
- NVIDIA weight plus distribution — Canonical snap packaging, GTC keynote lineage via NemoClaw, and a docs site under docs.nvidia.com give it credibility most four-month-old projects lack.[3][4]
- Genuinely fast iteration — 858 commits, 53 releases, and 66 contributors in under four months, with pushes on the day of writing.[1]
Cautions
- Alpha by NVIDIA's own admission — the README states "OpenShell is proof-of-life: one developer, one environment, one gateway" — single-player mode, not multi-tenant production infrastructure.[1]
- Not a hosted sandbox API — there is no
sandbox.create()cloud endpoint; teams wanting ephemeral per-request sandboxes at scale are buying a different product entirely.[1] - Kernel-level, not hardware-level isolation — Landlock/seccomp/namespaces are a weaker boundary than the Firecracker or libkrun microVMs used elsewhere in the category; a kernel exploit defeats it.[2]
- Linux-first enforcement — Landlock LSM and seccomp BPF are Linux kernel features; macOS binaries exist but full enforcement targets Linux hosts.[1][2]
- Sparse documentation, growing ecosystem — early adopters report documentation gaps and warn not to expect every agent framework supported on day one.[2]
- 258 open issues against a young codebase — normal for the velocity, but a real adoption tax today.[1]
What Developers Say
Direct community discussion is surprisingly thin for an NVIDIA launch: the largest Hacker News submission drew 4 points and a single comment as of June 2026, so sentiment lives in adjacent sandbox-skepticism threads and practitioner write-ups.[7]
"It's what I now think of as Layer 0 — the execution boundary that makes every other layer trustworthy." — Hector Flores, developer and Copilot CLI provider contributor[2]
"The documentation is sparse in places, and the provider ecosystem is still growing" — the same author, on its rough edges[2]
"The LLM will easily leak these credentials out." — an HN commenter, arguing proxies and gateways don't solve the credential problem sandboxes claim to[8]
"We already have this concept. It's called user accounts" — an HN commenter, skeptical that new sandbox runtimes beat existing OS-level protections[8]
The skeptical thread's consensus cuts at the whole category: once an agent is connected to your email, calendar, and credentials to be useful, kernel isolation only bounds part of the blast radius.[8]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open Source | Free | Full runtime, gateway, policy engine, Privacy Router — Apache 2.0, self-host anywhere[1] |
Licensing model: Apache 2.0 — permissive, commercial use allowed; no paid or hosted tier exists.[1]
Hidden costs: your own compute (Linux hosts, optionally GPUs), LLM API usage for the agents inside the sandboxes, and the operational burden of running alpha-grade infrastructure yourself.[1]
Competitive Positioning
OpenShell competes on governance, not provisioning. The hosted platforms sell sandbox creation as an API; OpenShell sells policy enforcement over agents on infrastructure you control — closer to a security layer than a compute product.[1]
Direct Competitors
| Competitor | Differentiation |
|---|---|
| E2B | Hosted Firecracker microVM sandboxes created per API call, 1B+ started; OpenShell is self-hosted, long-lived, and adds inference routing E2B lacks |
| Microsandbox | Closest philosophical peer — self-hosted, Rust, local-first; but Microsandbox isolates with libkrun hardware microVMs while OpenShell uses kernel LSM policy plus an OPA network proxy |
| Docker / devcontainers | The default agents run in today; containers alone have no syscall policy, egress proxy, or inference routing — OpenShell's pitch is that ad-hoc containers aren't governance |
NemoClaw is a consumer, not a competitor — NVIDIA's reference stack runs OpenClaw and Hermes agents inside OpenShell sandboxes, making it the first proof that the policy layer composes into a full product.[4]
When to Choose OpenShell Over Alternatives
- Choose OpenShell when: you run long-lived agents (Claude Code, Copilot CLI, OpenClaw-style assistants) on your own Linux machines and want auditable, version-controlled policy over what they touch and which models see your context.
- Choose E2B when: you need ephemeral sandboxes provisioned per request at cloud scale with SLAs, not a runtime to operate yourself.
- Choose Microsandbox when: you want self-hosting but with a hardware microVM boundary rather than kernel-level enforcement.
Ideal Customer Profile
Best fit:
- Teams running autonomous coding agents on workstations, DGX boxes, or edge devices who need policy over filesystem, network, and model egress
- Security-conscious organizations that want agent governance expressed as reviewable infrastructure-as-code
- NVIDIA-stack shops adopting NemoClaw or routing inference through controlled backends
- Platform engineers comfortable operating alpha software with a fast patch cadence
Poor fit:
- Products needing hosted, ephemeral sandbox APIs at scale (use E2B or similar)
- Teams requiring hardware-level microVM isolation guarantees today
- Windows or macOS-primary environments — kernel enforcement targets Linux
- Anyone needing supported, SLA-backed production infrastructure now
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | NVIDIA-sponsored open source — effectively unlimited backing, but also subject to NVIDIA's strategic whims |
| Market Position | Most prominent self-hosted policy runtime in the agent-sandbox category; complementary rather than head-on against hosted platforms |
| Innovation Pace | Very fast — 53 releases in under four months, near-daily cadence, pushed the day of writing[1] |
| Community/Ecosystem | 7K+ stars and 66 contributors, plus Canonical distribution; but thin independent discussion and a self-declared single-player scope[1][7] |
| Long-term Outlook | Strong if NVIDIA keeps treating agent runtimes as strategic (NemoClaw suggests it does); alpha label means the API surface will churn |
OpenShell's viability question isn't survival — NVIDIA can fund it indefinitely — but commitment: whether it graduates from "proof-of-life" to a supported multi-tenant runtime, or remains the demo-grade substrate under NemoClaw.[1][4]
Bottom Line
OpenShell is the most architecturally serious attempt yet to treat agent safety as governance rather than just isolation: kernel-enforced, version-controlled YAML policy over files, network, syscalls, and — uniquely — which model providers ever see your agent's context. The Canonical snap and NemoClaw integration give it real distribution, and the release velocity is genuine. But it is alpha software by its own README, kernel-level rather than microVM isolation, Linux-first, and it does not do what E2B-style platforms do — anyone shopping for a hosted sandbox API is in the wrong aisle.
Recommended for: teams self-hosting long-lived coding agents on Linux who want auditable policy and inference-routing control, and NVIDIA-stack adopters building on NemoClaw.
Not recommended for: production workloads needing SLAs, ephemeral sandbox-as-API use cases, or environments requiring hardware-level isolation guarantees.
Outlook: NVIDIA's backing and the NemoClaw dependency make abandonment unlikely; the open question is whether "single-player mode" becomes a supported enterprise runtime before the hosted platforms add policy layers of their own.
Research by Ry Walker Research • methodology
Sources
- [1] NVIDIA OpenShell GitHub Repository
- [2] Hector Flores: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In
- [3] Canonical: NVIDIA OpenShell Now Available as a Snap for Ubuntu
- [4] Cloud Security Alliance: NVIDIA NemoClaw Security Assessment
- [5] OpenShell on NVIDIA Build
- [6] NVIDIA OpenShell Documentation
- [7] NVIDIA OpenShell mentions on Hacker News (Algolia search)
- [8] Hacker News: Why is everyone talking about sandboxes for AI agents?