Skillget

boxed

agent
Security Audit
Warn
Health Pass
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 13 GitHub stars
Code Warn
  • network request — Outbound network request in sdk/typescript/package-lock.json
  • network request — Outbound network request in sdk/typescript/package.json
  • network request — Outbound network request in sdk/typescript/src/boxed.ts
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This tool is a code execution engine for AI agents. It provides sandboxed environments—using Docker, Firecracker, or WebAssembly—to safely run untrusted or dynamically generated code locally or in the cloud.

Security Assessment
Overall Risk: Medium. The tool is designed specifically to execute arbitrary shell commands and code within isolated sandboxes. While the tool itself does not request broad dangerous permissions on the host machine, its core purpose requires deep integration with container runtimes like Docker. Outbound network requests are present in the TypeScript SDK, which is expected for a client library communicating with the execution server. No hardcoded secrets were found; the server relies on a user-defined API key ("Bring Your Own Key" model) to authenticate requests. Because the tool's primary function is executing untrusted code, its overall risk profile depends heavily on how strictly you configure your Docker or Firecracker isolation boundaries.

Quality Assessment
The project is very new and early in its lifecycle, reflected by a low community trust metric (13 GitHub stars). However, it is actively maintained, with repository updates pushed as recently as today. The codebase is polyglot (Go, Rust, TypeScript, Python) and properly licensed under the permissive MIT license, making it safe from an intellectual property standpoint.

Verdict
Use with caution: The code is open and licensed properly, but given its high-risk purpose of executing arbitrary code, you should thoroughly verify your container isolation configurations before relying on it.
SUMMARY

The Sovereign Code Execution Engine for AI Agents. Run untrusted code safely locally or in the cloud using Docker, Firecracker, or Wasm.

README.md

Boxed Logo

Boxed

The Sovereign Code Execution Engine for AI Agents. Run untrusted code safely—locally or in the cloud—using Docker, Firecracker, or Wasm.

Go
Rust
TypeScript
Python
License

The Story 📖

Building an AI Agent that writes code? You have a problem.

  • Run it locally? 🚨 Security Risk. One rm -rf / and your laptop is gone.
  • Run it in cloud? 💸 Expensive. AWS instances for every user?
  • Use SaaS sandbox? 🐌 Vendor Lock-in. High latency and data privacy concerns.

Meet Boxed. The open-source, sovereign engine that gives your Agents a safe place to play. It provides a unified API to spawn ephemeral sandboxes, execute arbitrary code, and retrieve results instantly.

✨ Features

  • 🔒 Secure by Default — Defense-in-depth isolation (Docker now, Firecracker planned).
  • 🛡️ API Authentication — Hardened endpoints with API Key support.
  • ⚡ Sub-second Startup — Ephemeral environments ready in milliseconds.
  • 📁 First-class Artifacts — Auto-magic handling of generated files (images, PDFs, datasets).
  • 🔌 Polyglot SDKs — First-class support for TypeScript and Python.
  • 🌐 Network Control — Strict egress filtering to keep your network safe.

🚀 Getting Started

📋 Prerequisites

To run Boxed locally, you'll need:

  • Go 1.22+ (for the Control Plane)
  • Rust 1.75+ (for the Agent)
  • Docker Desktop (running and accessible)
  • Standard Images: Ensure you have a base image like python:3.10-slim pulled:
    docker pull python:3.10-slim

[!NOTE]
First Run: The first sandbox creation may take a few seconds while Docker pulls the required images. Subsequent runs are near-instant.

🏗️ Local Development

We provide a Makefile to simplify the build process.

# 1. Clone the repository
git clone https://github.com/akshayaggarwal99/boxed.git
cd boxed

# 2. Build everything (Agent + CLI)
make build

# 3. Start the Control Plane with Auth
export BOXED_API_KEY="super-secret-key"
./bin/boxed serve --api-key $BOXED_API_KEY

# Cleanup build artifacts
make clean

🔐 Security & Auth

Boxed uses a Bring Your Own Key (BYOK) model. Since you run your own instance, you define the secret key yourself at startup.

You can set the key via the --api-key flag or BOXED_API_KEY environment variable:

All CLI commands and SDKs must provide this key:

./bin/boxed list --api-key $BOXED_API_KEY

💻 CLI Usage

# Run interactive REPL (Sticky Session)
./bin/boxed repl <sandbox-id> --lang python

🔌 SDKs

TypeScript

# Local install
npm install ./sdk/typescript

Python

# Local install
pip install -e ./sdk/python

💻 SDK Examples

Python

from boxed_sdk import Boxed

client = Boxed(base_url="http://localhost:8080", api_key="super-secret-key")

# Create a secure session
session = client.create_session(template="python:3.10-slim")

# Run unsafe code
result = session.run("print('hello from boxed')")
print(result.stdout)

# Cleanup
session.close()

📚 Documentation

🛠️ Architecture

Boxed uses a Control Plane vs Data Plane architecture.

Architecture Diagram

  • Control Plane (Go): High-performance REST API with Auth middleware.
  • Agent (Rust): Lightweight (~5MB) binary injected into every sandbox to manage lifecycle and streaming.

🗺️ Roadmap

  • Phase 1: Enterprise Edition (Docker Backend, SDK)
  • Phase 1.5: Sticky Sessions (REPL Mode, WebSocket Proxy)
  • Phase 1.6: Security Hardening (Auth, CSRF Protection)
  • Phase 2: SaaS Edition (Firecracker MicroVMs)
  • Phase 4: Public Tunneling (*.boxed.run)

🤝 Contributing

Contributions are welcome! Please read our Contributing Guide.

📄 License

MIT License — do whatever you want with it.

Reviews (0)

No results found