Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NVIDIA/OpenShell/llms.txt

Use this file to discover all available pages before exploring further.

The table below summarizes the agents that run in OpenShell sandboxes. Agents listed under the base sandbox are pre-installed and auto-configured when you pass them as the trailing command to openshell sandbox create.

Agent table

AgentSource sandboxRequired credentialNotes
Claude CodebaseANTHROPIC_API_KEYFull policy coverage. Works out of the box.
OpenCodebaseOPENAI_API_KEY or OPENROUTER_API_KEYPartial policy coverage. Add opencode.ai endpoint and OpenCode binary paths for full functionality.
CodexbaseOPENAI_API_KEYNo default policy coverage. Requires a custom policy with OpenAI endpoints and Codex binary paths.
GitHub Copilot CLIbaseGITHUB_TOKEN or COPILOT_GITHUB_TOKENFull policy coverage. Works out of the box.
OpenClawopenclaw (community)Bundled with sandboxAgent orchestration layer. Launch with --from openclaw.
Ollamaollama (community)Bundled with sandboxIncludes Claude Code, Codex, and OpenCode. Launch with --from ollama.
All sandbox images are maintained in the OpenShell Community repository.

Credential auto-discovery

OpenShell automatically discovers credentials for recognized agents from your shell environment. When you run openshell sandbox create, the CLI reads the relevant environment variables (such as ANTHROPIC_API_KEY, OPENAI_API_KEY, and GITHUB_TOKEN) and creates credential providers from them. Credentials are never written to the sandbox filesystem. They are injected as environment variables at runtime so the agent process can use them without exposing them to the filesystem or other processes.
You do not need to run openshell provider create for recognized agents. If the required environment variable is set in your shell, OpenShell handles the rest automatically.

How providers work

OpenShell manages credentials as providers — named credential bundles that are injected into sandboxes at creation time. Each provider maps to a set of environment variables that the agent inside the sandbox will receive. You can create providers explicitly when auto-discovery is not sufficient: 
# Create a provider from existing environment variables
openshell provider create --type anthropic --from-existing

# Create a provider interactively
openshell provider create --type openai

Launching agents

To launch an agent, pass it as the trailing command to openshell sandbox create. 
# Claude Code
openshell sandbox create -- claude

# OpenCode
openshell sandbox create -- opencode

# Codex
openshell sandbox create -- codex

# GitHub Copilot CLI
openshell sandbox create -- copilot
You can combine the sandbox name, a custom policy, and a provider in a single command: 
openshell sandbox create --name my-sandbox --policy ./policy.yaml -- claude
The -- separator is required. Everything after -- is the command run inside the sandbox.

Community sandboxes

Agents that need a specialized runtime — like OpenClaw and Ollama — are available as community sandbox images. Use --from to pull them from the OpenShell Community catalog. 
# Launch OpenClaw (agent orchestration layer)
openshell sandbox create --from openclaw

# Launch Ollama (local and cloud model runner)
openshell sandbox create --from ollama
You can also point --from at a local directory or a container image: 
# Local Dockerfile
openshell sandbox create --from ./my-sandbox-dir

# Container image
openshell sandbox create --from registry.io/img:v1
Community sandbox images bundle their own policies. Review the policy file in the community repository before using a sandbox image in a production or sensitive environment.

Next steps

Providers

Create and manage credential providers for your agents.

Community sandboxes

Browse the full catalog of community sandbox images.