docs/gateway/openshell.md
OpenShell is a managed sandbox backend: instead of running Docker containers
locally, OpenClaw delegates sandbox lifecycle to the openshell CLI, which
provisions remote environments and executes commands over SSH.
The plugin reuses the same SSH transport and remote filesystem bridge as the
generic SSH backend, and adds OpenShell
lifecycle (sandbox create/get/delete/ssh-config) plus an optional mirror
workspace sync mode.
openclaw plugins install @openclaw/openshell-sandbox)openshell CLI on PATH (or a custom path via
plugins.entries.openshell.config.command)openclaw plugins install @openclaw/openshell-sandbox
{
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "openshell",
scope: "session",
workspaceAccess: "rw",
},
},
},
plugins: {
entries: {
openshell: {
enabled: true,
config: {
from: "openclaw",
mode: "remote",
},
},
},
},
}
Restart the Gateway. On the next agent turn OpenClaw creates an OpenShell sandbox and routes tool execution through it. Verify with:
openclaw sandbox list
openclaw sandbox explain
This is the most important OpenShell decision.
plugins.entries.openshell.config.mode: "mirror" keeps the local workspace
canonical:
exec, OpenClaw syncs the local workspace into the sandbox.exec, OpenClaw syncs the remote workspace back to local.Best for development workflows: local edits outside OpenClaw show up on the next exec, and the sandbox behaves close to the Docker backend.
Tradeoff: upload + download cost on every exec turn.
mode: "remote" makes the OpenShell workspace canonical:
exec, read, write, edit, and apply_patch operate
directly on the remote workspace. OpenClaw does not sync remote changes
back to local.Best for long-running agents and CI: lower per-turn overhead, and host-local edits cannot silently clobber remote state.
<Warning> Editing files on the host outside OpenClaw after the initial seed is invisible to the remote sandbox. Run `openclaw sandbox recreate` to re-seed. </Warning>mirror | remote | |
|---|---|---|
| Canonical workspace | Local host | Remote OpenShell |
| Sync direction | Bidirectional (every exec) | One-time seed |
| Per-turn overhead | Higher (upload + download) | Lower (direct remote ops) |
| Local edits visible? | Yes, on next exec | No, until recreate |
| Best for | Development workflows | Long-running agents, CI |
All OpenShell config lives under plugins.entries.openshell.config:
| Key | Type | Default | Description |
|---|---|---|---|
mode | "mirror" or "remote" | "mirror" | Workspace sync mode |
command | string | "openshell" | Path or name of the openshell CLI |
from | string | "openclaw" | Sandbox source for first-time create |
gateway | string | unset | OpenShell gateway name (top-level --gateway) |
gatewayEndpoint | string | unset | OpenShell gateway endpoint (top-level --gateway-endpoint) |
policy | string | unset | OpenShell policy ID for sandbox creation |
providers | string[] | [] | Provider names attached at sandbox creation (deduped, one --provider flag per entry) |
gpu | boolean | false | Request GPU resources (--gpu) |
autoProviders | boolean | true | Pass --auto-providers (or --no-auto-providers when false) during create |
remoteWorkspaceDir | string | "/sandbox" | Primary writable workspace inside the sandbox |
remoteAgentWorkspaceDir | string | "/agent" | Agent workspace mount path (read-only when workspace access is not rw) |
timeoutSeconds | number | 120 | Timeout for openshell CLI operations |
remoteWorkspaceDir and remoteAgentWorkspaceDir must be absolute paths and
stay under the managed roots /sandbox or /agent; other absolute paths are
rejected.
Sandbox-level settings (mode, scope, workspaceAccess) live under
agents.defaults.sandbox like any backend. See
Sandboxing for the full matrix.
{
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "openshell",
},
},
},
plugins: {
entries: {
openshell: {
enabled: true,
config: {
from: "openclaw",
mode: "remote",
},
},
},
},
}
{
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "openshell",
scope: "agent",
workspaceAccess: "rw",
},
},
},
plugins: {
entries: {
openshell: {
enabled: true,
config: {
from: "openclaw",
mode: "mirror",
gpu: true,
providers: ["openai"],
timeoutSeconds: 180,
},
},
},
},
}
{
agents: {
defaults: {
sandbox: { mode: "off" },
},
list: [
{
id: "researcher",
sandbox: {
mode: "all",
backend: "openshell",
scope: "agent",
workspaceAccess: "rw",
},
},
],
},
plugins: {
entries: {
openshell: {
enabled: true,
config: {
from: "openclaw",
mode: "remote",
gateway: "lab",
gatewayEndpoint: "https://lab.example",
policy: "strict",
},
},
},
},
}
# List all sandbox runtimes (Docker + OpenShell)
openclaw sandbox list
# Inspect effective policy
openclaw sandbox explain
# Recreate (deletes remote workspace, re-seeds on next use)
openclaw sandbox recreate --all
For remote mode, recreate is especially important: it deletes the canonical
remote workspace for that scope, and the next use seeds a fresh one from
local. For mirror mode, recreate mainly resets the remote execution
environment since local stays canonical.
Recreate after changing any of:
agents.defaults.sandbox.backendplugins.entries.openshell.config.fromplugins.entries.openshell.config.modeplugins.entries.openshell.config.policyThe mirror-mode filesystem bridge pins the local workspace root and rechecks canonical paths (via realpath) before every read, write, mkdir, remove, and rename, rejecting mid-path symlinks. A symlink swap or remounted workspace cannot redirect file access outside the mirrored tree.
sandbox.docker.binds does not apply to OpenShell; sandbox creation fails
if binds are configured.sandbox.docker.* (other than env)
apply only to the Docker backend.sandbox get for the sandbox name (with any configured
--gateway/--gateway-endpoint); if that fails it creates one with
sandbox create, passing --name, --from, --policy when set, --gpu
when enabled, --auto-providers/--no-auto-providers, and one
--provider flag per configured provider.sandbox ssh-config for the sandbox name to fetch SSH
connection details.mirror mode: sync local to remote before exec, run, sync back after.remote mode: seed once on create, then operate directly on the remote
workspace.openclaw sandbox commands