agentskit.js
Security

Mandatory sandbox

Policy wrapper for tools — allow, deny, require-sandbox, validators.

import { createMandatorySandbox } from '@agentskit/tools'
import { shell } from '@agentskit/tools'

const guarded = createMandatorySandbox(shell(), {
  allow: ['ls', 'cat', 'grep'],
  deny: ['rm', 'sudo', 'curl', 'wget'],
  requireSandbox: true,
  validators: [
    (args) => args.cmd.length < 256 || 'command too long',
  ],
})

Modes

RuleEffect
allow: string[]only listed cmds pass
deny: string[]listed cmds rejected
requireSandbox: trueexecute via @agentskit/sandbox
validators: Fn[]return string to reject with message

Sandbox backends

E2B (default) · WebContainer · Deno worker — see sandbox package.

✎ Edit this page on GitHub·Found a problem? Open an issue →·How to contribute →
Edit on GitHub

Rate limiting

Token bucket per user / IP / key. Works with any adapter.

Evals

Measure quality with numbers, not vibes. Suites, replay, snapshots, diff, CI reporters.

On this page

ModesSandbox backendsRelated