Securing LLM Agents with OpenShell Out-of-Process Enforcement
Sam Witteveengo watch the original →
the gist
OpenShell secures LLM agents by moving policy enforcement out of the agent's system prompt and into an external supervisor process that restricts network, file system, and credential access.
The Breakthrough
OpenShell shifts agent security from unreliable system-prompt instructions to out-of-process enforcement, where a supervisor process restricts the agent's capabilities before the agent even executes.
What Actually Worked
- Out-of-Process Enforcement: The supervisor component initializes before the agent, creating a restricted child process where all actions are validated against a YAML policy file before reaching the host system.
- Default-Deny Network Policy: The supervisor blocks all outbound network traffic by default, requiring explicit allow-listing for specific endpoints like search APIs or inference gateways.
- Credential Injection: API keys are never stored on disk or inside the sandbox; the supervisor injects credentials at runtime, and the agent interacts with a local
inference.localendpoint that the supervisor signs on the way out. - Sandbox Isolation: The supervisor mounts only specific, required directories into the container, preventing the agent from accessing host-level files, SSH keys, or environment variables.
Context
Traditional agent frameworks rely on system prompts to enforce safety, which fails when models are compromised via prompt injection or malicious tool outputs. By decoupling the agent harness (such as LangChain DeepAgents) from the runtime (OpenShell), developers can swap models and harnesses while maintaining a consistent, hardened security boundary that remains effective even if the agent itself is fully compromised.
Content References
- tool: NemoClaw, NVIDIA, mentioned
- tool: OpenShell, NVIDIA, reviewed
- tool: LangChain DeepAgents, LangChain, reviewed
- tool: Neotron, NVIDIA, mentioned