Overview of NVIDIA OpenShell — NVIDIA OpenShell Developer Guide
Overview of NVIDIA OpenShell #
NVIDIA OpenShell is an open-source runtime for executing autonomous AI agents in sandboxed environments with kernel-level isolation. It combines sandbox runtime controls and a declarative YAML policy so teams can run agents without giving them unrestricted access to local files, credentials, and external networks.
Why OpenShell Exists #
AI agents are most useful when they can read files, install packages, call APIs, and use credentials. That same access can create material risk. OpenShell is designed for this tradeoff: preserve agent capability while enforcing explicit controls over what the agent can access.
Common Risks and Controls #
The table below summarizes common failure modes and how OpenShell mitigates them.
| Threat | Without controls | With OpenShell |
|---|---|---|
| Data exfiltration | Agent uploads source code or internal files to unauthorized endpoints. | Network policies allow only approved destinations; other outbound traffic is denied. |
| Credential theft | Agent reads local secrets such as SSH keys or cloud credentials. | Filesystem restrictions (Landlock) confine access to declared paths only. |
| Unauthorized API usage | Agent sends prompts or data to unapproved model providers. | Privacy routing and network policies control where inference traffic can go. |
| Privilege escalation | Agent attempts sudo, setuid paths, or dangerous syscall behavior. | Unprivileged process identity and seccomp restrictions block escalation paths. |
Protection Layers at a Glance #
OpenShell applies defense in depth across the following policy domains.
| Layer | What it protects | When it applies |
|---|---|---|
| Filesystem | Prevents reads/writes outside allowed paths. | Locked at sandbox creation. |
| Network | Blocks unauthorized outbound connections. | Hot-reloadable at runtime. |
| Process | Blocks privilege escalation and dangerous syscalls. | Locked at sandbox creation. |
| Inference | Reroutes model API calls to controlled backends. | Hot-reloadable at runtime. |
For details, refer to Sandbox Policies and Customize Sandbox Policies.
Common Use Cases #
OpenShell supports a range of agent deployment patterns.
| Use Case | Description |
|---|---|
| Secure coding agents | Run Claude Code, OpenCode, or OpenClaw with constrained file and network access. |
| Private enterprise development | Route inference to self-hosted or private backends while keeping sensitive context under your control. |
| Compliance and audit | Treat policy YAML as version-controlled security controls that can be reviewed and audited. |
| Reusable environments | Use community sandbox images or bring your own containerized runtime. |
Next Steps #
Explore these topics to go deeper:
-
To understand the components that make up the OpenShell runtime, refer to the Architecture Overview.
-
To install the CLI and create your first sandbox, refer to the Quickstart.
-
To learn how OpenShell enforces isolation across all protection layers, refer to Sandboxes.