AI-Generated Code Execution Sandboxes

This project provides secure, containerized infrastructure designed for autonomous agents, remote code execution, and cloud development. It functions as a sandboxed environment where AI agents and external processes can execute code, run shell commands, and manage files while remaining isolated from the host system. The system distinguishes itself by implementing the Model Context Protocol, allowing it to act as a standardized tool server that exposes browser and filesystem capabilities to compatible clients. It further integrates headless browser automation, enabling programmatic web navigation and screenshot capture within the isolated workspace. The platform covers a broad capability surface, including multi-runtime command execution, dynamic port forwarding for application previewing, and shared filesystem coordination. It also provides interactive development tools such as web-based editors, terminals, and notebooks for real-time activity inspection.

microsandbox is a platform that runs untrusted code inside hardware-isolated microVMs, each with its own kernel, filesystem, and network stack. It boots directly from standard OCI container images, supports copy-on-write filesystem layers, and integrates with AI agents to execute tool calls and generated code in isolated environments with secret protection. What sets microsandbox apart is its host-side network proxy that enforces firewall rules, intercepts DNS, inspects TLS traffic, and injects secrets at the network boundary without exposing them inside the VM. It provides SSH access to microVMs without requiring an SSH daemon inside the guest, and can capture, export, and boot from filesystem snapshots for state preservation and replication. The platform also surfaces typed error objects across SDKs for precise failure matching. Beyond core isolation, microsandbox includes full sandbox lifecycle management — creation, graceful shutdown, force termination, replacement, and state deletion — along with configurable storage attachments, interactive terminal sessions, command execution with streaming output, and metric export via OpenTelemetry to backends like Datadog and Prometheus. The engine deploys as a Docker container from multi-arch images and is configured through a JSON settings file.

OpenSandbox is a secure execution environment and runtime designed for running untrusted code and scripts generated by AI agents. It utilizes a containerized code execution engine and microVM-based isolation to protect host systems from malicious actions while providing isolated virtual environments. The project features a sandbox server based on the Model Context Protocol to automate the creation and control of virtual workspaces. It supports the deployment of secure remote desktop hosts, including headless web browsers and editor instances, for automated interaction. The system includes an isolated workload network gateway for managing egress routing and a vault mechanism for secure credential injection into outbound requests. Additional capabilities cover filesystem operations and a dedicated command-line interface for environment management and diagnostics.

container-use is a containerized AI execution environment and code sandbox designed to provide a secure space for AI coding agents to execute commands and build applications. It functions as a workspace orchestrator that provisions isolated containers mapped to git branches, allowing multiple agents to operate in parallel without state conflicts or affecting the host system. The project serves as a Model Context Protocol server, bridging AI agents to containerized environments for standardized tool access. It enables a workflow for reviewing and merging changes made by agents within these isolated environments back into a local repository. The system includes capabilities for agentic workflow monitoring through command history logging and provides mechanisms for human intervention via direct terminal tunneling into active sessions. It further supports bidirectional file system syncing to facilitate the review and integration of agent-generated code.

Wasmtime is a WebAssembly runtime and sandboxed bytecode executor designed to run WebAssembly bytecode on a host system. It functions as an embeddable engine that integrates into applications through native APIs and language-specific bindings, as well as a standalone execution environment accessible via a command line interface. It is a WASI compatible runtime, implementing the WebAssembly System Interface to provide portable access to system resources. The engine utilizes a JIT compilation model to translate intermediate representation into optimized machine code for various CPU architectures. To balance performance and startup time, it supports multiple execution strategies, including a single-pass baseline compiler for fast startup and a portable interpreter for immediate execution without compilation. The runtime provides secure code sandboxing and resource consumption limits for CPU and memory to ensure host stability. Security is further managed through bounds-checked memory access to mitigate side-channel attacks. Additionally, the project supports polyglot component integration, allowing software components written in different programming languages to communicate via standardized binary formats and interfaces.

rlm is an LLM code execution engine and orchestration framework designed to coordinate multiple language model calls and recursive sub-tasks through a programmable environment. It provides a sandboxed REPL environment and a recursive context processor to handle inputs that exceed standard token limits by programmatically decomposing prompts. The project differentiates itself through a reinforcement learning training harness used to teach models how to utilize recursive calls and code execution. It includes a reasoning visualization system that records and renders execution trajectories to analyze how models decompose and solve complex tasks. The system supports secure code execution via pluggable backends, including cloud virtual machines, isolated containers, and local processes. It manages state across multiple turns using a REPL-based environment and allows for the injection of custom tools and external functions into the execution flow. The framework is implemented in Python.

This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an independent userspace network stack and proxy-based filesystem access. These mechanisms ensure that containerized applications remain isolated from the host, even when requiring access to specialized hardware like GPUs, which are handled through secure passthrough proxies. Additionally, the runtime supports state serialization, allowing for the checkpointing and restoration of running container states to facilitate migration and persistence across different host environments. Beyond its core isolation capabilities, the project provides a comprehensive suite of tools for managing container lifecycles, resource accounting, and observability. It includes features for filesystem virtualization, such as writable overlays and read-only image support, alongside telemetry interfaces for monitoring performance and security events. The runtime is designed to operate across diverse Linux environments, including bare-metal and virtual machines, without requiring specialized virtualization hardware. The project is distributed as an open-source runtime that integrates directly into existing container management workflows.

Deno is a high-performance runtime for JavaScript and TypeScript that prioritizes security and developer productivity. Built on the V8 engine, it provides a secure execution environment that enforces a default-deny security model, requiring explicit user authorization for access to system resources like the file system, network, and environment variables. The runtime natively supports modern web-standard APIs, ensuring consistent behavior and portability across different environments. What distinguishes Deno is its integrated approach to the software development lifecycle. It bundles essential utilities—including a formatter, linter, test runner, and dependency manager—directly into the runtime, eliminating the need for external build tools or complex transpilation steps. The platform features a universal module resolution system that supports remote HTTPS URLs, local paths, and standard package registries, all backed by lockfiles to ensure build determinism and supply chain security. Beyond its core runtime capabilities, Deno includes a built-in, persistent key-value database engine that supports atomic transactions and reactive data monitoring. It also provides a robust compatibility layer for the Node.js ecosystem, allowing for the seamless execution of legacy modules and native binary addons. For multi-tenant or distributed applications, the runtime offers isolated sandbox environments that manage resource constraints and security boundaries, facilitating secure code execution in shared infrastructure. The project is distributed as a single binary, providing a unified toolchain for managing dependencies, executing tasks, and configuring runtime security policies.

E2B is a cloud-based infrastructure platform designed to provide secure, isolated execution environments for code and shell commands. It functions as an ephemeral orchestrator that provisions lightweight virtual machines, allowing developers and autonomous agents to run untrusted processes within a sandbox that is completely separated from the host system. The platform distinguishes itself through its focus on programmable, serverless workspaces that support the full lifecycle of cloud-based development. By utilizing hardware-level isolation and snapshot-based resumption, it enables the near-instant restoration of complex environments. Users can define reproducible configurations through versioned templates, ensuring that software dependencies and system settings remain consistent across every session. The system provides a comprehensive suite of tools for managing remote resources, including real-time terminal stream multiplexing and filesystem synchronization. These capabilities allow for the automated execution of tasks, such as managing files, installing dependencies, and controlling the state of cloud instances to optimize resource usage. The platform is accessible via a command-line interface and automated APIs designed to integrate directly into development workflows.

Fragments is an open-source AI code generation sandbox that produces code automatically based on user prompts and executes it inside isolated cloud environments. The project provides a secure foundation for running AI-generated code by sandboxing execution away from the host system, preventing potential harm while allowing users to see results immediately. The sandbox supports customization through configurable execution environments defined via Dockerfiles, enabling code to run in specific runtimes or frameworks. Users can integrate different language models and model providers by registering their identifiers, API endpoints, and authentication keys, giving flexibility in choosing which AI powers code generation. The system also streams AI responses incrementally in the user interface, providing real-time feedback as code is generated. Additional capabilities include installing packages from registries like npm or pip during execution, and hosting the sandbox as a deployable web interface. The project's documentation covers setup, configuration of custom environments and models, and deployment instructions for getting a sandbox instance running.

Firecracker is a virtual machine monitor that leverages hardware-assisted virtualization to create and manage isolated execution environments. It functions as a lightweight runtime designed to launch virtual machines with minimal memory overhead and near-instantaneous startup times, providing the security of traditional hardware virtualization with the efficiency of containerized workloads. The project distinguishes itself through a security-focused architecture that enforces strict process boundaries using system-level barriers and restricted user privileges. It minimizes the attack surface by implementing a minimalist device model, which includes only the essential virtualized hardware required for booting. Management of the virtual machine lifecycle and hardware configuration is handled through a synchronous network-based control plane, allowing for precise runtime adjustments to CPU, memory, and device attachments. The system supports high-performance communication between the guest operating system and host resources through standardized device emulation. It is designed for multi-tenant infrastructure, enabling the secure execution of concurrent workloads on shared physical hardware. The software is distributed as a single statically linked binary to simplify deployment across diverse host environments.

This project provides a containerized network bridge that isolates corporate VPN software from the host operating system. It utilizes a Docker container to encapsulate the VPN client, preventing software conflicts and installation clutter on the host machine. The system includes a web-accessible graphical user interface for remote login and session management, allowing users to interact with VPN authentication prompts from any device. To enable application-level access, it implements a SOCKS5 and HTTP proxy gateway that routes host machine network traffic through the containerized connection. The project further supports network traffic isolation and remote access through the use of virtual displays and proxy-based routing.

Moltworker is an AI agent sandbox and model orchestrator designed for the secure execution of untrusted code and shell commands generated by large language models. It functions as a gateway proxy that routes requests to multiple AI providers through a unified interface, integrating a container runtime backed by S3-compatible object storage to persist state across ephemeral lifecycles. The system distinguishes itself by combining an AI model orchestrator with a headless browser controller for automated web scraping and screenshot capture. It manages the full lifecycle of AI agents, including multi-channel chat integration, consolidated billing across different providers, and expenditure limits to control operational costs. The platform provides a broad suite of capabilities for ephemeral environment hosting, including isolated build pipelines and the exposure of services via preview URLs. It incorporates security and observability tools such as token-based proxy authentication, response caching, and traffic analysis to monitor token usage and request volume. The infrastructure supports real-time interaction through a browser-based terminal interface using WebSocket streaming and monitors filesystem changes for automated build processes.

AssemblyScript is a compiler and tooling suite used for WebAssembly module development. It converts a subset of TypeScript syntax into binary modules to achieve high execution speeds and cross-platform binary execution. The project focuses on translating typed source code into the compact binary format required by WebAssembly runtimes. This allows for the movement of computationally heavy logic into binary modules for browser performance optimization and execution across different operating systems. The compilation process involves TypeScript-compatible syntax analysis and the generation of binary modules using static type-based memory mapping and managed linear memory. The system utilizes ahead-of-time compiled bytecode and strict type-erasure to produce lean machine-level instructions.

Bocker is a minimal container management tool written in Bash that implements core container functionality using Linux namespaces and control groups. It serves as a Linux container manager capable of starting and managing isolated processes and images through low-level kernel features. The project includes an OCI image tool for pulling, saving, and building container images compatible with industry standards. It further integrates a cgroup resource controller to restrict CPU and memory consumption for isolated processes. The tool covers the full container lifecycle, including process isolation and image management. This encompasses the ability to build custom images, pull from remote registries, and execute commands within active containers.

DeepSeek-TUI is an AI coding agent orchestrator and framework designed to automate complex programming tasks. It functions as a harness for coordinating AI models that can read source code, edit files, and execute shell commands through automated agent workflows. The system is distinguished by its multi-agent coordination capabilities, which allow for the spawning of parallel sub-agents to handle concurrent investigations or implementation slices. It employs autonomous goal-seeking loops to pursue objectives across multiple turns and utilizes a tool integration gateway to connect models to external servers and local tools via a standardized exchange protocol. The project provides a command line interface for headless task execution and pipeline integration. Security is managed through a sandboxed execution environment with a permission system to control tool calls, while a hierarchical instruction resolver manages priorities between global laws and project policies. State management features include session persistence and the ability to roll back agent actions using snapshots.

Open Interpreter is an autonomous agent runtime that translates natural language instructions into executable code to interact with local software and operating systems. It functions as an orchestration framework that connects language models to a secure execution environment, enabling the development of agents capable of managing system resources and performing complex tasks. To ensure safety, the system mandates explicit user verification before executing any generated code and provides robust isolation through containerized sandboxing. The project distinguishes itself through its deep integration with local environments and its focus on secure, human-in-the-loop automation. It supports a wide range of hosted and local language models, allowing users to balance privacy and performance requirements. Beyond simple script execution, it features vision-enabled automation that analyzes screen content to simulate mouse and keyboard interactions, effectively allowing the agent to navigate graphical user interfaces as a human would. The system provides a comprehensive suite of computer automation primitives, including tools for managing calendar events, email communications, and clipboard data. It is designed for extensibility, offering support for custom language runtimes and remote sandbox configurations to handle specialized execution needs. Users can manage the interpreter's behavior through detailed configuration settings, including options for stateful conversation persistence and telemetry controls. The software is distributed as a Python-based package and can be installed and configured to run within isolated container environments to maintain host system security.

CodeWhale is an AI coding agent orchestrator and development harness designed to coordinate autonomous agents that read, edit, and verify code. It provides a secure environment for AI agents to perform multi-step software engineering tasks, utilizing a sandboxed execution model to isolate shell commands and protect the host system. The system distinguishes itself by spawning multiple independent agents in parallel to handle separate investigation or implementation slices simultaneously. It employs a multi-model gateway to route requests across various cloud APIs and local servers, and utilizes a hierarchical instruction system to resolve conflicts between global laws, project invariants, and user requests. The platform covers a broad range of automation capabilities, including autonomous goal execution, reusable workflow loading, and session persistence to resume long-running tasks. It also supports snapshot-based state rollbacks to restore codebases without altering git history and integrates with external protocols to share tool definitions across different AI environments. The project includes a command line interface for executing autonomous workflows in a headless mode.

Lima is a virtualization engine designed to provision and manage lightweight Linux, macOS, and FreeBSD virtual machines. It functions as a comprehensive virtual machine manager that leverages native hypervisors and system emulation to provide isolated environments for container development, cross-architecture testing, and secure sandboxing. The project distinguishes itself through its template-driven provisioning system, which allows users to define and automate environment configurations via local files or remote URL schemes. It integrates deeply with host systems by providing automated filesystem bridging, network port forwarding, and DNS resolution, while enabling AI agents to interact with guest environments through standardized interfaces. Beyond its core virtualization capabilities, the platform supports complex infrastructure needs including persistent storage management, snapshotting, and multi-node networking. It facilitates container orchestration by deploying lightweight Kubernetes distributions and accelerating multi-platform image execution through hardware-assisted binary translation. The tool is managed via a command-line interface that supports shell autocompletion, custom command extensions, and CI/CD pipeline integration. Users can install the software and manage virtual machine lifecycles through standard terminal commands and configuration files.