sandboxed.sh is the safe runtime for autonomous on-chain AI agents.

Run OKX security skills unattended inside isolated Linux workspaces, without leaking wallet secrets to the model, the host, or unrelated missions. This is a real shipped product, not a hackathon toy: sandboxed.sh already has a web dashboard, iOS app, per-mission runtimes for Claude Code/OpenCode/Amp, a Git-backed Library, encrypted secrets, MCP integration, and production install docs for Docker and native Ubuntu.

Why this matters for OKX:

• Read-only is the feature: the bundled okx-security skill can inspect token, DApp, transaction, signature, and approval risk without signing or broadcasting anything.
• Isolation matches the threat model: each autonomous run gets its own workspace, so OKX risk checks can run unattended without exposing host files or long-lived credentials.
• Skills become operational infrastructure: the same Library item is synced into Claude Code, OpenCode, and Amp mission environments instead of being a one-off demo prompt.

Try it in 60 seconds:

git clone https://github.com/Th0rgal/sandboxed.sh.git
cd sandboxed.sh
cp .env.example .env
docker compose up -d
npx --yes @xagt/agent-plugin@latest setup --target all
# In the dashboard, create a workspace from:
# "autonomous-transaction-safety-check"

Self-hosted cloud orchestrator for AI coding agents
Isolated Linux workspaces with Claude Code, OpenCode, Codex, Gemini, and Grok runtimes

Formerly known as Open Agent

Website · Discord · Vision · Features · Ecosystem · Screenshots · Getting Started

Ready to deploy? Jump to the installation comparison, or go straight to the Docker guide / native guide.

What if you could:

Hand off entire dev cycles. Point an agent at a GitHub issue, let it write code, test by launching desktop applications, and open a PR when tests pass. You review the diff, not the process.

Run multi-day operations unattended. Give an agent SSH access to your home GPU through a VPN. It reads Nvidia docs, sets up training, fine-tunes models while you sleep.

Keep sensitive data local. Analyze your sequenced DNA against scientific literature. Local inference, isolated containers, nothing leaves your machines.

• Multi-Runtime Support: Run Claude Code, OpenCode, Codex, Gemini, and Grok agents in the same infrastructure
• Mission Control: Start, stop, and monitor agents remotely with real-time streaming
• Isolated Workspaces: Containerized Linux environments (systemd-nspawn) with per-mission directories
• Git-backed Library: Skills, tools, rules, agents, and MCPs versioned in a single repo
• Telegram Integration: Connect bots to missions for chat-based AI assistants with auto-mission creation per chat
• Automations: Schedule recurring agent runs with cron-like triggers
• Model Routing: Provider fallback chains with health checks and rate-limit handling
• MCP Registry (optional): Extra tool servers (desktop/playwright/etc.) when needed
• OpenAI-compatible Proxy Queue Mode: Optional deferred execution for /v1/chat/completions when all routed providers are temporarily rate-limited
• Multi-platform: Web dashboard (Next.js) and iOS app (SwiftUI) with Picture-in-Picture

sandboxed.sh orchestrates multiple AI coding agent runtimes:

• Claude Code: Anthropic's official coding agent with native skills support (.claude/skills/)
• OpenCode: Open-source alternative via oh-my-opencode
• Codex, Gemini, and Grok: Native CLI backends for OpenAI, Google, and xAI coding agents

Each runtime executes inside isolated workspaces, so bash commands and file operations are scoped correctly. sandboxed.sh handles orchestration, workspace isolation, and Library-based configuration management.

Real-time monitoring with CPU, memory, network graphs and mission timeline

Git-backed Library with skills, commands, rules, and inline editing

MCP server management with runtime status and Library integration

git clone https://github.com/Th0rgal/sandboxed.sh.git
cd sandboxed.sh
cp .env.example .env
# Edit .env with your settings
docker compose up -d

Open http://localhost:3000 — that's it.

For container workspace isolation (recommended), uncomment privileged: true in docker-compose.yml.

→ Full Docker setup guide

For production servers running Ubuntu 24.04 with maximum performance and native systemd-nspawn isolation.

→ Full native installation guide

After installation, follow the Getting Started Guide for:

• Configuring your backend connection
• Setting up your library repository
• Exploring skills and tools
• Creating your first mission

Point your coding agent at the installation guide and let it handle the deployment:

"Deploy Sandboxed.sh on my server at 1.2.3.4 with domain agent.example.com"

• Getting Started - First-time setup and usage
• Docker Installation - Recommended installation method
• Native Installation - Bare metal Ubuntu setup

• Harness System - Backend integration architecture
• Workspaces - Isolated execution environments
• Mission API - Mission lifecycle and control
• Workspace API - Workspace management endpoints
• Backend API - Backend configuration

• Telegram Assistant - Connect Telegram bots to missions
• Desktop Setup - X11/Xvfb configuration for GUI automation

• agents.md - Agent configuration and harness details
• Persistent Sessions Design - Claude CLI session management
• Debugging Guide - Troubleshooting and debug workflows
• Docker Analysis - Docker setup deep dive

Enable pre-push formatting checks to catch CI failures locally:

git config core.hooksPath .githooks

This runs cargo fmt --check before each push. If formatting issues are found, run cargo fmt --all to fix them.

Work in Progress — This project is under active development. Contributions and feedback welcome.

MIT