Files
openclaw-openclaw/docs/cli/sandbox.md
Peter Steinberger aaf5ab910c fix: land ten small reliability fixes (#100483)
* fix(agents): harden LSP process failures

Source: #100450

Co-authored-by: morluto <williamlin1327@gmail.com>

* fix(sandbox): report effective workspace layout

Sources: #100435, #100439

Co-authored-by: Aniruddha Adak <aniruddhaadak80@users.noreply.github.com>

Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>

* fix(security): fail install checks on stream errors

Source: #100413

Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>

* fix(android): normalize all-day calendar events

Source: #100032

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(ios): serialize push-to-talk lifecycle

Source: #99942

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(talk): reject inherited provider names

Source: #99849

Co-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>

* fix(android): stop voice capture in background

Source: #99840

Co-authored-by: xialonglee <li.xialong@xydigit.com>

* fix(cron): preserve fallback result classification

Source: #99913

Co-authored-by: jincheng-xydt <xu.jincheng@xydigit.com>

* fix(google): bound Vertex response decompression

Source: #99812

Co-authored-by: 黄剑雄0668001315 <huang.jianxiong@xydigit.com>

* fix(plugins): report malformed discovery JSON

Source: #99892

Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>

* test(sandbox): configure non-default workspace fixture

* test: fix small-fix batch validation

---------

Co-authored-by: morluto <williamlin1327@gmail.com>
Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>
Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>
Co-authored-by: xialonglee <li.xialong@xydigit.com>
Co-authored-by: jincheng-xydt <xu.jincheng@xydigit.com>
Co-authored-by: 黄剑雄0668001315 <huang.jianxiong@xydigit.com>
2026-07-06 00:08:51 +01:00

6.1 KiB

summary, title, read_when, status
summary title read_when status
Manage sandbox runtimes and inspect effective sandbox policy Sandbox CLI You are managing sandbox runtimes or debugging sandbox/tool-policy behavior. active

Manage sandbox runtimes for isolated agent execution: Docker containers, SSH targets, or OpenShell backends.

Commands

openclaw sandbox list

List sandbox runtimes with status, backend, config match, age, idle time, and associated session/agent.

openclaw sandbox list
openclaw sandbox list --browser  # browser containers only
openclaw sandbox list --json

openclaw sandbox recreate

Remove sandbox runtimes to force recreation with current config. Runtimes are recreated automatically the next time the agent is used.

openclaw sandbox recreate --all
openclaw sandbox recreate --agent mybot        # includes agent:mybot:* sub-sessions
openclaw sandbox recreate --session "agent:main:main"
openclaw sandbox recreate --browser --all      # only browser containers
openclaw sandbox recreate --all --force        # skip confirmation

Options:

  • --all: recreate all sandbox containers
  • --session <key>: recreate the runtime with this exact scope key (as shown by sandbox list); no short-name expansion
  • --agent <id>: recreate runtimes for one agent (matches agent:<id> and agent:<id>:*)
  • --browser: only affect browser containers
  • --force: skip the confirmation prompt

Pass exactly one of --all, --session, or --agent.

For ssh and OpenShell remote, recreate matters more than with Docker: the remote workspace is canonical after the initial seed, recreate deletes that canonical remote workspace for the selected scope, and the next run reseeds it from the current local workspace.

openclaw sandbox explain

Inspect the effective sandbox mode/scope/workspace access, sandbox tool policy, and elevated-tool gates (with fix-it config key paths).

The report keeps workspaceRoot as the configured sandbox root and separately shows the effective host workspace, backend runtime workdir, and Docker mount table. For workspaceAccess: "rw", the effective host workspace is the agent workspace rather than a directory below workspaceRoot.

openclaw sandbox explain
openclaw sandbox explain --session agent:main:main
openclaw sandbox explain --agent work
openclaw sandbox explain --json

Unlike recreate --session, this accepts short session names (for example main) and expands them against the resolved agent.

Why recreate is needed

Updating sandbox config does not affect running containers: existing runtimes keep their old settings, and idle runtimes are only pruned after prune.idleHours (default 24h). Regularly used agents can keep stale runtimes alive indefinitely. openclaw sandbox recreate removes the old runtime so the next use rebuilds it from current config.

Prefer `openclaw sandbox recreate` over manual backend-specific cleanup. It uses the Gateway's runtime registry and avoids mismatches when scope or session keys change.

Common triggers

Change Command
Docker image update (agents.defaults.sandbox.docker.image) openclaw sandbox recreate --all
Sandbox config (agents.defaults.sandbox.*) openclaw sandbox recreate --all
SSH target/auth (agents.defaults.sandbox.ssh.{target,workspaceRoot,identityFile,certificateFile,knownHostsFile,identityData,certificateData,knownHostsData}) openclaw sandbox recreate --all
OpenShell source/policy/mode (plugins.entries.openshell.config.{from,mode,policy}) openclaw sandbox recreate --all
setupCommand openclaw sandbox recreate --all (or --agent <id> for one agent)
Runtimes are automatically recreated when the agent is next used.

Registry migration

Sandbox runtime metadata lives in the shared SQLite state database. Older installs may have legacy registry files that regular reads no longer rewrite:

  • ~/.openclaw/sandbox/containers.json
  • ~/.openclaw/sandbox/browsers.json
  • one JSON shard per container/browser under ~/.openclaw/sandbox/containers/ or ~/.openclaw/sandbox/browsers/

Run openclaw doctor --fix to migrate valid legacy entries into SQLite. Invalid legacy files are quarantined so a corrupt old registry cannot hide current runtime entries.

Configuration

Sandbox settings live in ~/.openclaw/openclaw.json under agents.defaults.sandbox (per-agent overrides go in agents.list[].sandbox):

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "all", // off, non-main, all
        "backend": "docker", // docker, ssh, openshell (plugin-provided)
        "scope": "agent", // session, agent, shared
        "docker": {
          "image": "openclaw-sandbox:bookworm-slim",
          "containerPrefix": "openclaw-sbx-",
          // ... more Docker options
        },
        "prune": {
          "idleHours": 24, // auto-prune after 24h idle
          "maxAgeDays": 7, // auto-prune after 7 days
        },
      },
    },
  },
}