Sandboxing

How OpenVesper bounds what tools can do. Especially relevant for thefilesystem and shell plugins, which by design can touch your system.

Filesystem sandbox

The filesystem plugin uses a safePath() helper that resolves every requested path and ensures it stays within the configured workspace boundary.

What gets rejected:

  • Paths with .. traversal that would escape the workspace
  • Symlinks pointing outside the workspace
  • Absolute paths to system directories (/etc, /root, ~/.ssh)

By default, the workspace boundary is the current working directory when you ran the CLI. Configure with OPENVESPER_WORKSPACE in your env if you want to scope differently.

Shell sandbox

The shell plugin blocks dangerous command patterns before passing anything to a child process:

  • rm -rf /, rm -rf ~, and variants
  • Fork bombs (:(){ :|:& };:)
  • mkfs.* filesystem formatting
  • dd if=/dev/... raw disk writes
  • shutdown, reboot, halt
  • Network bind on privileged ports without sudo context

Every shell call also runs with a 30-second timeout by default. Override with the tool's timeout_ms input.

Permission flags on tools

Every tool declares what it needs:

PermissionAuto-allow?Behavior
(unset)YesPure / read-only computation
externalYesCalls an external HTTP API
filesystemYes (sandboxed)File reads/writes, bounded by safePath
shellYes (sandboxed)Shell commands, blocked patterns rejected
mutationPrompts in interactive modeSide effects: send, transfer, post

Network restrictions

OpenVesper does not enforce network egress restrictions at the framework level. Tools call the APIs they're designed to call. If you want to restrict outbound traffic, run OpenVesper in a container or VM with a firewall.

Memory and conversation isolation

Each agent has its own memory and conversation state. An agent's memory file is not readable by another agent at runtime โ€” the runtime loads only the active agent's MEMORY.md.

What's next?