AgentSkillsCN

sandbox

在 Docker 容器中安全执行代码,并施加资源限制

SKILL.md
--- frontmatter
name: sandbox
description: "Safe code execution in Docker containers with resource limits"
emoji: "📦"
gates:
  envs:
    anyOf:
      - DOCKER_HOST

Sandbox - Complete API Reference

Execute code safely in isolated Docker containers with resource limits and timeout protection.


Chat Commands

Run Code

code
/run python "print('Hello')"                Run Python code
/run node "console.log('Hi')"               Run JavaScript
/run bash "ls -la"                          Run shell command
/run ruby "puts 'Hello'"                    Run Ruby code

With Options

code
/run python "code" --timeout 30             Set timeout (seconds)
/run node "code" --memory 512               Memory limit (MB)
/run python "code" --file script.py         From file

Sandbox Management

code
/sandbox status                             Container status
/sandbox images                             Available images
/sandbox cleanup                            Remove old containers

TypeScript API Reference

Create Sandbox

typescript
import { createSandbox } from 'clodds/sandbox';

const sandbox = createSandbox({
  // Docker settings
  dockerHost: process.env.DOCKER_HOST,

  // Default limits
  defaultTimeoutMs: 30000,
  defaultMemoryMB: 256,
  defaultCpuShares: 512,

  // Cleanup
  autoCleanup: true,
  maxContainerAgeMs: 3600000,
});

Run Code

typescript
// Run Python
const result = await sandbox.run({
  language: 'python',
  code: `
import math
print(f"Pi is {math.pi}")
  `,
});

console.log(`Output: ${result.stdout}`);
console.log(`Exit code: ${result.exitCode}`);
console.log(`Duration: ${result.durationMs}ms`);

// Run with limits
const result = await sandbox.run({
  language: 'node',
  code: `console.log('Hello from Node.js')`,
  timeout: 10000,
  memoryMB: 128,
});

Supported Languages

typescript
// Python
await sandbox.run({ language: 'python', code: 'print("Hello")' });

// JavaScript (Node.js)
await sandbox.run({ language: 'node', code: 'console.log("Hello")' });

// Bash
await sandbox.run({ language: 'bash', code: 'echo "Hello"' });

// Ruby
await sandbox.run({ language: 'ruby', code: 'puts "Hello"' });

// Go
await sandbox.run({ language: 'go', code: 'package main\nimport "fmt"\nfunc main() { fmt.Println("Hello") }' });

Run From File

typescript
const result = await sandbox.runFile({
  language: 'python',
  filePath: '/path/to/script.py',
  args: ['--input', 'data.csv'],
});

Install Packages

typescript
// Python packages
const result = await sandbox.run({
  language: 'python',
  code: `
import pandas as pd
print(pd.__version__)
  `,
  packages: ['pandas', 'numpy'],
});

// Node packages
const result = await sandbox.run({
  language: 'node',
  code: `
const _ = require('lodash');
console.log(_.VERSION);
  `,
  packages: ['lodash'],
});

Resource Limits

typescript
const result = await sandbox.run({
  language: 'python',
  code: 'import time; time.sleep(100)',

  // Limits
  timeout: 5000,        // 5 second timeout
  memoryMB: 256,        // 256 MB RAM
  cpuShares: 512,       // CPU shares (default 1024)
  networkDisabled: true, // No network access
});

Container Management

typescript
// Get status
const status = await sandbox.getStatus();
console.log(`Running containers: ${status.running}`);
console.log(`Total containers: ${status.total}`);

// List available images
const images = await sandbox.listImages();
for (const img of images) {
  console.log(`${img.language}: ${img.image}`);
}

// Cleanup old containers
await sandbox.cleanup({
  olderThan: '1h',
  status: 'exited',
});

Language Images

LanguageImageVersion
pythonpython:3.11-slim3.11
nodenode:20-slim20.x
bashalpine:latestAlpine
rubyruby:3.2-slim3.2
gogolang:1.21-alpine1.21

Resource Limits

ResourceDefaultMax
Timeout30s300s
Memory256 MB2048 MB
CPU512 shares2048 shares
Disk100 MB1 GB

Security

FeatureDescription
IsolationEach run in separate container
No networkNetwork disabled by default
No volumesNo host filesystem access
Read-onlyFilesystem is read-only
Resource capsMemory and CPU limits
TimeoutForce kill after timeout

Use Cases

Run Backtest

typescript
const result = await sandbox.run({
  language: 'python',
  code: backtestCode,
  packages: ['pandas', 'numpy', 'ta'],
  timeout: 60000,
  memoryMB: 512,
});

Data Processing

typescript
const result = await sandbox.run({
  language: 'python',
  code: `
import json
data = ${JSON.stringify(inputData)}
result = process(data)
print(json.dumps(result))
  `,
});
const output = JSON.parse(result.stdout);

Best Practices

  1. Set timeouts — Prevent runaway code
  2. Limit memory — Avoid OOM
  3. Disable network — Unless needed
  4. Use slim images — Faster startup
  5. Cleanup regularly — Remove old containers