Docker sandbox skill for haiku.skills
Project description
haiku-skills-sandbox
Docker sandbox skill for haiku.skills. Executes Python code in an isolated Docker container with pre-installed data science packages and filesystem access.
Prerequisites
Build the Docker image (once):
docker build -t haiku-skills-sandbox:latest skills/sandbox/haiku_skills_sandbox/
Usage
Via entry point discovery
HAIKU_SKILLS_SANDBOX_WORKSPACE=/path/to/data haiku-skills chat
Programmatic
from pathlib import Path
from haiku_skills_sandbox import create_skill
skill = create_skill(
workspace=Path("/path/to/data"), # mounted at /workspace in the container
idle_timeout=1800, # stop container after 30min idle (default: 1h)
image="my-custom-image:latest", # custom Docker image (default: haiku-skills-sandbox:latest)
)
Configuration
| Parameter | Env var | Default | Description |
|---|---|---|---|
workspace |
HAIKU_SKILLS_SANDBOX_WORKSPACE |
None | Host directory mounted at /workspace in the container |
idle_timeout |
HAIKU_SKILLS_SANDBOX_IDLE_TIMEOUT |
3600 | Seconds of inactivity before the container is stopped |
image |
HAIKU_SKILLS_SANDBOX_IMAGE |
haiku-skills-sandbox:latest |
Docker image to use for the container |
Priority: create_skill() argument > environment variable > default.
Container lifecycle
- Containers start lazily on the first tool call
- Session binding via
SandboxState.session_id— the same AG-UI thread reuses the same container - Idle containers are stopped automatically (checked on each tool call)
- All containers are stopped on process exit via
atexit - When workspace is mounted, files persist on the host — restarting a container loses nothing
Pre-installed packages
The haiku-skills-sandbox:latest image includes: pandas, numpy, scipy, matplotlib.
Security considerations
- Network access: Containers have full network access (Docker bridge networking) by default.
- Command execution:
ConsoleToolsetis configured withrequire_execute_approval=False— the LLM can run arbitrary commands inside the container without user confirmation. Docker provides the isolation boundary. - Workspace access: When a workspace is mounted, the container has full read/write access to that host directory. The LLM can read, modify, or delete any file in the mounted workspace.
- Container user: The container runs as root. Docker container isolation is the security boundary, not OS-level user separation.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file haiku_skills_sandbox-0.13.1.tar.gz.
File metadata
- Download URL: haiku_skills_sandbox-0.13.1.tar.gz
- Upload date:
- Size: 4.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ef5014eec80e7cccc2bf32c48177c0ba3a1ffd2ac9b3b9edefb0b594a2f3cc22
|
|
| MD5 |
6ee0aa4f5142aca9a0b5550b01915bb8
|
|
| BLAKE2b-256 |
140897e4ed4ef659f2c640d5ac1bbfec874cf63e9d0c45444206a5bf5a366f97
|
File details
Details for the file haiku_skills_sandbox-0.13.1-py3-none-any.whl.
File metadata
- Download URL: haiku_skills_sandbox-0.13.1-py3-none-any.whl
- Upload date:
- Size: 5.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3809741d118636974632aa86d2e9067b9bcb7c6900fef24a5a30c7cc25b9009f
|
|
| MD5 |
a752e98b134d5683042a33e389c44fbb
|
|
| BLAKE2b-256 |
aaaed9900d90e9ce67f8a8aaf39dd44b3fbd81bc2f7ae1ba9c85b8b6955b2f7a
|
