Skip to main content
OpenShell is a managed sandbox backend: instead of running Docker containers locally, OpenClaw delegates sandbox lifecycle to the openshell CLI, which provisions remote environments and executes commands over SSH. The plugin reuses the same SSH transport and remote filesystem bridge as the generic SSH backend, and adds OpenShell lifecycle (sandbox create/get/delete/ssh-config) plus an optional mirror workspace sync mode.

Prerequisites

  • OpenShell plugin installed (openclaw plugins install @openclaw/openshell-sandbox)
  • openshell CLI on PATH (or a custom path via plugins.entries.openshell.config.command)
  • An OpenShell account with sandbox access
  • OpenClaw Gateway running on the host

Quick start

openclaw plugins install @openclaw/openshell-sandbox
{
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        backend: "openshell",
        scope: "session",
        workspaceAccess: "rw",
      },
    },
  },
  plugins: {
    entries: {
      openshell: {
        enabled: true,
        config: {
          from: "openclaw",
          mode: "remote",
        },
      },
    },
  },
}
Restart the Gateway. On the next agent turn OpenClaw creates an OpenShell sandbox and routes tool execution through it. Verify with:
openclaw sandbox list
openclaw sandbox explain

Workspace modes

This is the most important OpenShell decision.

mirror (default)

plugins.entries.openshell.config.mode: "mirror" keeps the local workspace canonical:
  • Before exec, OpenClaw syncs the local workspace into the sandbox.
  • After exec, OpenClaw syncs the remote workspace back to local.
  • File tools go through the sandbox bridge, but local stays source of truth between turns.
Best for development workflows: local edits outside OpenClaw show up on the next exec, and the sandbox behaves close to the Docker backend. Tradeoff: upload + download cost on every exec turn.

remote

mode: "remote" makes the OpenShell workspace canonical:
  • On first sandbox creation, OpenClaw seeds the remote workspace from local once.
  • After that, exec, read, write, edit, and apply_patch operate directly on the remote workspace. OpenClaw does not sync remote changes back to local.
  • Prompt-time media reads still work (file/media tools read through the sandbox bridge).
Best for long-running agents and CI: lower per-turn overhead, and host-local edits cannot silently clobber remote state.
Editing files on the host outside OpenClaw after the initial seed is invisible to the remote sandbox. Run openclaw sandbox recreate to re-seed.

Choosing a mode

mirrorremote
Canonical workspaceLocal hostRemote OpenShell
Sync directionBidirectional (every exec)One-time seed
Per-turn overheadHigher (upload + download)Lower (direct remote ops)
Local edits visible?Yes, on next execNo, until recreate
Best forDevelopment workflowsLong-running agents, CI

Configuration reference

All OpenShell config lives under plugins.entries.openshell.config:
KeyTypeDefaultDescription
mode"mirror" or "remote""mirror"Workspace sync mode
commandstring"openshell"Path or name of the openshell CLI
fromstring"openclaw"Sandbox source for first-time create
gatewaystringunsetOpenShell gateway name (top-level --gateway)
gatewayEndpointstringunsetOpenShell gateway endpoint (top-level --gateway-endpoint)
policystringunsetOpenShell policy ID for sandbox creation
providersstring[][]Provider names attached at sandbox creation (deduped, one --provider flag per entry)
gpubooleanfalseRequest GPU resources (--gpu)
autoProvidersbooleantruePass --auto-providers (or --no-auto-providers when false) during create
remoteWorkspaceDirstring"/sandbox"Primary writable workspace inside the sandbox
remoteAgentWorkspaceDirstring"/agent"Agent workspace mount path (read-only when workspace access is not rw)
timeoutSecondsnumber120Timeout for openshell CLI operations
remoteWorkspaceDir and remoteAgentWorkspaceDir must be absolute paths and stay under the managed roots /sandbox or /agent; other absolute paths are rejected. Sandbox-level settings (mode, scope, workspaceAccess) live under agents.defaults.sandbox like any backend. See Sandboxing for the full matrix.

Examples

Minimal remote setup

{
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        backend: "openshell",
      },
    },
  },
  plugins: {
    entries: {
      openshell: {
        enabled: true,
        config: {
          from: "openclaw",
          mode: "remote",
        },
      },
    },
  },
}

Mirror mode with GPU

{
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        backend: "openshell",
        scope: "agent",
        workspaceAccess: "rw",
      },
    },
  },
  plugins: {
    entries: {
      openshell: {
        enabled: true,
        config: {
          from: "openclaw",
          mode: "mirror",
          gpu: true,
          providers: ["openai"],
          timeoutSeconds: 180,
        },
      },
    },
  },
}

Per-agent OpenShell with custom gateway

{
  agents: {
    defaults: {
      sandbox: { mode: "off" },
    },
    list: [
      {
        id: "researcher",
        sandbox: {
          mode: "all",
          backend: "openshell",
          scope: "agent",
          workspaceAccess: "rw",
        },
      },
    ],
  },
  plugins: {
    entries: {
      openshell: {
        enabled: true,
        config: {
          from: "openclaw",
          mode: "remote",
          gateway: "lab",
          gatewayEndpoint: "https://lab.example",
          policy: "strict",
        },
      },
    },
  },
}

Lifecycle management

# List all sandbox runtimes (Docker + OpenShell)
openclaw sandbox list

# Inspect effective policy
openclaw sandbox explain

# Recreate (deletes remote workspace, re-seeds on next use)
openclaw sandbox recreate --all
For remote mode, recreate is especially important: it deletes the canonical remote workspace for that scope, and the next use seeds a fresh one from local. For mirror mode, recreate mainly resets the remote execution environment since local stays canonical. Recreate after changing any of:
  • agents.defaults.sandbox.backend
  • plugins.entries.openshell.config.from
  • plugins.entries.openshell.config.mode
  • plugins.entries.openshell.config.policy

Security hardening

The mirror-mode filesystem bridge pins the local workspace root and rechecks canonical paths (via realpath) before every read, write, mkdir, remove, and rename, rejecting mid-path symlinks. A symlink swap or remounted workspace cannot redirect file access outside the mirrored tree.

Current limitations

  • Sandbox browser is not supported on the OpenShell backend.
  • sandbox.docker.binds does not apply to OpenShell; sandbox creation fails if binds are configured.
  • Docker-specific runtime knobs under sandbox.docker.* (other than env) apply only to the Docker backend.

How it works

  1. OpenClaw runs sandbox get for the sandbox name (with any configured --gateway/--gateway-endpoint); if that fails it creates one with sandbox create, passing --name, --from, --policy when set, --gpu when enabled, --auto-providers/--no-auto-providers, and one --provider flag per configured provider.
  2. OpenClaw runs sandbox ssh-config for the sandbox name to fetch SSH connection details.
  3. Core writes the SSH config to a temp file and opens an SSH session through the same remote filesystem bridge as the generic SSH backend.
  4. In mirror mode: sync local to remote before exec, run, sync back after.
  5. In remote mode: seed once on create, then operate directly on the remote workspace.