Run AI agents inside an NVIDIA OpenShell sandbox with all LLM traffic routed through ForceField's 10-step security pipeline.
- Network egress locked down: Only ForceField gateway, GitHub API (read-only), npm, and PyPI are reachable. All other outbound traffic is blocked.
- Inference routing: All model API calls go through ForceField for prompt injection detection, PII redaction, output moderation, and tool call interception.
- Credential isolation: API keys injected at runtime via OpenShell providers, never written to disk.
- Process hardening: No privilege escalation, default seccomp profile.
- Filesystem scoping: Write access limited to workspace and /tmp.
- Dynamic egress restriction: ForceField's chain pattern detector can tighten sandbox network policy in real time if it detects data exfiltration or privilege escalation sequences.
- NVIDIA OpenShell installed
- A ForceField API key (request access)
- Docker (for building the sandbox image)
# 1. Clone this repo
git clone https://github.com/Data-ScienceTech/forcefield-openshell-sandbox.git
cd forcefield-openshell-sandbox
# 2. Set your ForceField API key
export FORCEFIELD_API_KEY=ff-your-key-here
# 3. Create a provider (auto-discovers from env)
openshell provider create --type anthropic --from-existing
# 4. Create a sandboxed agent with the ForceField policy
openshell sandbox create --from . --name secured-agent -- claude
openshell policy set secured-agent --policy policy.yaml --wait
# 5. Connect and use the agent -- all LLM calls are now scanned
openshell sandbox connect secured-agent| File | Purpose |
|---|---|
policy.yaml |
OpenShell network policy: default-deny egress, inference routing through ForceField, filesystem and process constraints |
Dockerfile |
Ubuntu 22.04 sandbox image with dev tools, ForceField gateway URL pre-configured |
Edit policy.yaml to:
- Add additional allowed network destinations
- Switch the ForceField gateway URL (self-hosted vs Cloud Run)
- Adjust filesystem write paths for your workflow
Agent (Claude/Codex/OpenCode)
|
v
OpenShell Sandbox (container isolation + network policy)
|
v (HTTPS, X-API-Key header)
ForceField Gateway (/v1/chat/completions)
|-- Pattern matching (352 WAF rules)
|-- ML ensemble (TF-IDF + DeBERTa transformer)
|-- PII redaction (18 types)
|-- Tool call interception
|-- Chain-of-action attack detection
|-- Output moderation
|-- Token budget enforcement
|-- Audit trail
|
v
Upstream Model (Anthropic/OpenAI/Google/local)
- ForceField AI Security Gateway -- the runtime security layer
- Agentic AI Security -- MCP proxy gateway, tool call interception, chain tracking, sandbox execution
- NVIDIA OpenShell -- sandboxed runtime for AI agents
MIT