Securing LLM Agents with OpenShell Out-of-Process Enforcement

Sam Witteveengo watch the original →

OpenShell secures LLM agents by moving policy enforcement out of the agent's system prompt and into an external supervisor process that restricts network, file system, and credential access.

The Breakthrough

OpenShell shifts agent security from unreliable system-prompt instructions to out-of-process enforcement, where a supervisor process restricts the agent's capabilities before the agent even executes.

What Actually Worked

  • Out-of-Process Enforcement: The supervisor component initializes before the agent, creating a restricted child process where all actions are validated against a YAML policy file before reaching the host system.
  • Default-Deny Network Policy: The supervisor blocks all outbound network traffic by default, requiring explicit allow-listing for specific endpoints like search APIs or inference gateways.
  • Credential Injection: API keys are never stored on disk or inside the sandbox; the supervisor injects credentials at runtime, and the agent interacts with a local inference.local endpoint that the supervisor signs on the way out.
  • Sandbox Isolation: The supervisor mounts only specific, required directories into the container, preventing the agent from accessing host-level files, SSH keys, or environment variables.

Context

Traditional agent frameworks rely on system prompts to enforce safety, which fails when models are compromised via prompt injection or malicious tool outputs. By decoupling the agent harness (such as LangChain DeepAgents) from the runtime (OpenShell), developers can swap models and harnesses while maintaining a consistent, hardened security boundary that remains effective even if the agent itself is fully compromised.

Content References

  • tool: NemoClaw, NVIDIA, mentioned
  • tool: OpenShell, NVIDIA, reviewed
  • tool: LangChain DeepAgents, LangChain, reviewed
  • tool: Neotron, NVIDIA, mentioned
  • #ai
  • #dev-tooling
  • #security

summary by google/gemini-3.1-flash-lite. probably wrong about something. check the source.