OpenShell, developed by NVIDIA, is a novel runtime environment designed to provide a safe and private space for autonomous AI agents. Its primary purpose is to protect sensitive data, credentials, and infrastructure from unauthorized access and potential security threats. The project is currently in an alpha state, focusing on single-user environments, but with a clear roadmap towards multi-tenant enterprise deployments.

The core functionality of OpenShell revolves around creating sandboxed execution environments. These sandboxes are isolated containers that enforce strict security policies. Key features include policy-enforced egress routing, which controls network access, and declarative YAML policies that govern file access, data exfiltration, and network activity. This allows users to define precisely what actions an AI agent is permitted to perform, minimizing the risk of malicious activity or accidental data breaches.

OpenShell's architecture comprises several key components. The "Gateway" acts as a control-plane API, managing the lifecycle of sandboxes and serving as the authentication boundary. The "Sandbox" provides the isolated runtime environment, supervising the container and enforcing egress routing based on the defined policies. The "Policy Engine" is responsible for enforcing filesystem, network, and process constraints, ensuring that the agent operates within the defined boundaries. Finally, the "Privacy Router" handles LLM routing, keeping sensitive context within the sandbox's compute resources. These components work together, running as a K3s Kubernetes cluster within a single Docker container, simplifying deployment and management.

The system offers multiple layers of protection. The "Filesystem" layer prevents unauthorized file access, the "Network" layer blocks unauthorized outbound connections, the "Process" layer prevents privilege escalation and dangerous system calls, and the "Inference" layer reroutes model API calls to controlled backends. These layers are enforced through declarative YAML policies, allowing for flexible and granular control over the agent's behavior. Network and inference policies can be updated dynamically, while filesystem and process policies are locked at sandbox creation.

OpenShell also introduces the concept of "providers," which manage credentials such as API keys and tokens. These providers securely inject credentials into the sandboxes as environment variables, preventing them from being exposed in the filesystem. This is particularly useful for agents that require access to external services. The CLI simplifies the creation of providers, automatically discovering credentials for supported agents like Claude, Codex, OpenCode, and Copilot.

The project also offers experimental GPU support, allowing users to pass host GPUs into sandboxes for local inference or fine-tuning. This feature requires specific host configurations, including NVIDIA drivers and the NVIDIA Container Toolkit.

OpenShell is designed to be agent-first, meaning that the project itself is developed using agent-driven workflows. The repository includes agent skills for various tasks, such as cluster debugging, policy generation, and security reviews. This approach streamlines the development process and encourages contributions from the community. The project provides a comprehensive CLI with commands for creating and managing sandboxes, setting policies, creating providers, and monitoring logs. A real-time terminal UI is also available, providing a live view of the cluster's health and sandbox status.

OpenShell supports creating sandboxes from various sources, including the OpenShell Community catalog, local directories, and container images. This flexibility allows users to customize their sandboxes and integrate them with existing workflows. The project provides extensive documentation, including quickstart guides, tutorials, and architecture overviews, to help users get started and understand the system's inner workings. The project is licensed under the Apache License 2.0, promoting open-source collaboration and usage.