Back to Catalog
Sandbox icon

Sandbox

Verified

by Dryade

team security-safety
0.0 (0 ratings) 0 downloads
Subscribe & Install

Requires team tier subscription

Description

Configurable isolation levels (NONE/PROCESS/CONTAINER/GVISOR) for tool execution

Screenshots

Details

Sandbox Plugin

Configurable tool sandboxing with multiple isolation levels.

Overview

Execute tools with varying degrees of isolation based on risk level:

  • NONE: Direct execution for trusted tools
  • PROCESS: Subprocess with resource limits
  • CONTAINER: Docker container isolation
  • GVISOR: gVisor sandbox for maximum security

Architecture

Tool Call --> Risk Classification --> Isolation Level
                    |
    +---------------+---------------+
    |               |               |
  NONE          PROCESS        CONTAINER/GVISOR
    |               |               |
 Direct         subprocess      docker run
 call           with limits     with limits

Components

| File | Purpose | |------|---------| | executor.py | Main ToolSandbox class with execution methods | | cache.py | Caching for sandbox results | | registry.py | Tool risk level registry | | tool.py | CrewAI tool wrapper utilities |

Configuration

# Enable gVisor (requires runsc runtime installed)
DRYADE_GVISOR_ENABLED=true

Usage

Basic Usage

from plugins.sandbox import get_sandbox, SandboxConfig, IsolationLevel


sandbox = get_sandbox()


Execute with automatic risk-based isolation


result = await sandbox.execute("execute_code", {"code": "print('hello')"})


Override isolation level


result = await sandbox.execute(
    "my_tool",
    {"arg": "value"},
    config=SandboxConfig(
        isolation=IsolationLevel.CONTAINER,
        timeout_seconds=60,
        memory_limit_mb=512,
        network_enabled=False,
        filesystem_readonly=True
    )
)

Convenience Function

from plugins.sandbox import sandboxed_execute


result = await sandboxed_execute("tool_name", {"arg": "value"})

Tool Risk Levels

Default risk classifications:

TOOL_RISK_LEVELS = {
    # Low risk - no sandbox
    "capella_list": IsolationLevel.NONE,
    "capella_query": IsolationLevel.NONE,


# Medium risk - process isolation
"capella_create": IsolationLevel.PROCESS,
"file_read": IsolationLevel.PROCESS,

# High risk - container isolation
"execute_code": IsolationLevel.CONTAINER,
"shell_command": IsolationLevel.CONTAINER,



}

Isolation Details

Process Isolation

  • Subprocess execution
  • Resource limits via ulimit
  • Timeout enforcement

Container Isolation

Docker command template:

docker run --rm \
    --memory=512m \
    --cpus=1.0 \
    --network=none \
    --read-only \
    python:3.11-slim python -c "..."

gVisor Isolation

gVisor provides additional security:

docker run --rm \
    --runtime=runsc \
    --memory=512m \
    --cpus=1.0 \
    --network=none \
    --read-only \
    --tmpfs /tmp:rw,noexec,nosuid,size=64m \
    --security-opt seccomp=config/seccomp-strict.json \
    python:3.11-slim python -c "..."

Dependencies

  • Docker: Required for CONTAINER and GVISOR levels
  • gVisor runsc: Optional, required for GVISOR level

Fallback Behavior

  • If gVisor is not available, falls back to standard Docker
  • If Docker is not available, process isolation is used
  • Graceful degradation with warnings logged

Plugin Info

Version 1.0.0
Author Dryade
Tier team
Category security-safety
Type backend
Downloads 0
Updated Mar 15, 2026

Tags

teamsandbox