Skip to content
/
Tier A A9 Sandbox substrate

Microsandbox

microsandbox · superradcompany/microsandbox · ★ 6.3k · last commit 2026-05-25

Primitive shape 1 total
MCP tools 1
00

Summary

Microsandbox — Summary

Microsandbox is a Rust-based framework for spinning up lightweight hardware-isolated microVMs in milliseconds, directly from application code with no external server or daemon required. It provides SDKs for Rust, Python, TypeScript, and Go; a CLI (msb) for managing sandboxes interactively; an optional MCP server for MCP-compatible agents; and "Agent Skills" for Claude Code, Cursor, Codex, Gemini CLI, and GitHub Copilot to teach coding agents how to use microsandbox via skill files. The Sandbox::builder("...").create() call boots a microVM as a child process, making the entire sandbox embedded and rootless — no infrastructure setup required. Boot times average under 100ms. It supports OCI/Docker images from any registry. Secrets are injected without entering the VM ("unexploitable secret keys that never enter the VM"). Microsandbox is entirely local-first (no cloud dependency), which distinguishes it from E2B and Daytona in this batch. Like all sandbox infrastructure projects, it sits below the agent loop rather than inside it, making it fundamentally different from the 11 seed frameworks.

01

Overview

Microsandbox — Overview

Origin

Microsandbox (superradcompany/microsandbox) is built by Superrad Company in Rust. As of May 2026 it has 6,299 stars and 30 contributors. Licensed Apache-2.0. Still in beta ("Expect breaking changes, missing features, and rough edges").

Philosophy

From the README: "the easiest way to give your agent their own computer"

Key design principles:

  • Embeddable: Sandbox::builder("...").create() boots a microVM as a child process — no setup server, no long-running daemon
  • Rootless: Runs without root privileges
  • Local-first: No network dependency, no cloud API
  • Hardware isolation: MicroVM technology (via libkrun), not containers
  • Secrets that can't leak: Secret injection happens outside the VM boundary; secrets never enter the VM image
  • OCI compatible: Runs standard Docker Hub / GHCR / any OCI registry images
  • Agent-ready: Ships Agent Skills (for Claude Code, Cursor, Codex, Gemini CLI, Copilot) and an MCP server

Relationship to Other Projects

Microsandbox uses libkrun (same as Brood Box) for microVM execution. It is the closest competitor to Brood Box in this batch, with key differences:

  • Microsandbox: embeddable SDK + local CLI, no review workflow, multi-language SDKs, agent skills
  • Brood Box: CLI wrapper around specific named agents, COW workspace + review workflow, MCP proxy, security focus

Beta Status

Warning from README: "Microsandbox is still beta software. Expect breaking changes, missing features, and rough edges."

02

Architecture

Microsandbox — Architecture

Distribution

  • Type: Multi-language SDK + CLI binary
  • Install (Rust): cargo add microsandbox
  • Install (Python): uv add microsandbox
  • Install (TypeScript): npm i microsandbox
  • Install (Go): go get github.com/superradcompany/microsandbox/sdk/go
  • Install (CLI): curl -fsSL https://install.microsandbox.dev | sh or npx microsandbox run debian

Cargo Workspace Structure

microsandbox/
├── crates/
│   ├── agentd/        — Agent daemon (runs inside microVM)
│   ├── cli/           — msb CLI
│   ├── db/            — Database layer (SQLite)
│   ├── filesystem/    — Filesystem operations
│   ├── image/         — OCI image handling
│   ├── metrics/       — CPU/memory/network metrics
│   ├── microsandbox/  — Core sandbox library
│   ├── migration/     — Database migrations
│   ├── network/       — Network management
│   ├── protocol/      — Wire protocol definitions
│   ├── runtime/       — MicroVM runtime (libkrun wrapper)
│   ├── utils/         — Shared utilities
│   └── test-*/        — Test utilities
├── sdk/
│   ├── go/            — Go SDK
│   ├── node-ts/       — TypeScript/Node SDK
│   └── python/        — Python SDK
├── mcp/               — MCP server
├── skills/            — Agent Skills (Claude Code, Cursor, etc.)
└── docs/              — Documentation (MDX)

Key Technologies

  • Rust: Core runtime (crates/runtime + crates/microsandbox)
  • libkrun: Hardware microVM virtualization (KVM / Hypervisor.framework) — shared dependency with Brood Box
  • SQLite: Internal state tracking (crates/db) — installed to ~/.microsandbox/
  • OCI: Container image compatibility

Install Paths

On setup, microsandbox installs to:

  • ~/.microsandbox/bin/ — binaries (msb, agentd)
  • ~/.microsandbox/lib/ — libraries (libkrunfw)

Platform Requirements

  • macOS with Apple Silicon (M1/M2/M3/M4)
  • Linux with KVM enabled
  • No cloud dependency
03

Components

Microsandbox — Components

CLI (msb)

Command Purpose
msb run <image> Run a microVM from image (one-shot)
msb create --name <n> <image> Create named persistent sandbox
msb exec <name> -- <cmd> Execute command in named sandbox
msb stop <name> Stop a sandbox
msb start <name> Start a stopped sandbox
msb rm <name> Remove a sandbox
msb ls List all sandboxes
msb ps <name> Show sandbox status
msb inspect <name> Detailed sandbox info
msb metrics <name> Live CPU/memory/network stats
msb pull <image> Pull an OCI image
msb image ls List cached images
msb image rm <image> Remove cached image
msb install <image> Install sandbox as a system command
msb uninstall <image> Remove installed sandbox command
msb --tree Show all commands and options

Rust SDK

let sandbox = Sandbox::builder("my-sandbox")
    .image("python")
    .cpus(1)
    .memory(512)
    .create()
    .await?;

let output = sandbox
    .exec("python", ["-c", "print('Hello!')"])
    .await?;

sandbox.stop_and_wait().await?;

Python SDK

sandbox = await Sandbox.create("my-sandbox", image="python", cpus=1, memory=512)
output = await sandbox.exec("python", ["-c", "print('Hello!')"])
await sandbox.stop_and_wait()

TypeScript SDK

await using sandbox = await Sandbox.builder("my-sandbox")
  .image("python").cpus(1).memory(512).create();
const output = await sandbox.exec("python", ["-c", "print('Hello!')"]);

Go SDK

sandbox, _ := microsandbox.CreateSandbox(ctx, "my-sandbox",
    microsandbox.WithImage("python"),
    microsandbox.WithCPUs(1),
    microsandbox.WithMemory(512),
)
output, _ := sandbox.Exec(ctx, "python", []string{"-c", "print('Hello!')"})

MCP Server (microsandbox-mcp)

Separate package (github.com/superradcompany/microsandbox-mcp). Provides structured tool calls for:

  • Sandbox lifecycle (create, start, stop, destroy)
  • Command execution
  • Filesystem access
  • Volume management
  • Monitoring

Integration: claude mcp add --transport stdio microsandbox -- npx -y microsandbox-mcp

Agent Skills (superradcompany/skills)

Separate repo (github.com/superradcompany/skills). Teaches coding agents (Claude Code, Cursor, Codex, Gemini CLI, GitHub Copilot) how to use microsandbox.

Install: npx skills add superradcompany/skills

Internal Components

Crate Purpose
agentd Agent daemon running inside microVM; handles command execution
runtime libkrun wrapper; boots/stops microVMs
image OCI image pull, cache, extraction
network VM networking, port forwarding
db SQLite state (sandbox registry)
metrics Live resource metrics
filesystem Host↔guest file operations
05

Prompts

Microsandbox — Prompts

Microsandbox ships zero agent prompt files in the main repository. It is an execution infrastructure library, not an agent behavior framework.

However, unlike E2B and Daytona, microsandbox explicitly supports agent skill injection via the separate superradcompany/skills repository and an MCP server (microsandbox-mcp). These teach agents how to USE microsandbox, but the skills are maintained in a separate repo.

Verbatim: Rust SDK Core Usage (README)

use microsandbox::Sandbox;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let sandbox = Sandbox::builder("my-sandbox")
        .image("python")
        .cpus(1)
        .memory(512)
        .create()
        .await?;

    let output = sandbox
        .exec("python", ["-c", "print('Hello from a microVM!')"])
        .await?;

    println!("{}", output.stdout()?);

    sandbox.stop_and_wait().await?;
    Ok(())
}

Technique: Fluent builder pattern for sandbox creation. The sandbox.exec() is a pure command execution call — no agent prompting.

Verbatim: Python SDK Snapshot/Restore Example

# Start a sandbox and write some data to a file
sandbox = await Sandbox.create("my-sandbox", image="python", cpus=1, memory=512)
result = await sandbox.exec("python", ["-c", "print('Running in microVM')"])
print(result.stdout_text)
await sandbox.stop_and_wait()

Technique: Imperative async API. Note: the Python SDK is simpler than the Rust equivalent — no builder pattern, direct keyword arguments.

Assessment

Microsandbox's "prompt" contribution to the agent ecosystem is via the external superradcompany/skills repo, which teaches Claude Code and other agents how to create and manage microsandboxes. Those skill files are not part of this repository. The main repo is pure infrastructure code.

09

Uniqueness

Microsandbox — Uniqueness & Positioning

differs_from_seeds

Microsandbox is architecturally orthogonal to all 11 seed frameworks. Seeds operate within the agent loop via skills, hooks, personas, MCP tools, or spec files. Microsandbox is the execution substrate beneath agents — it provides hardware-isolated microVMs that agents run inside or that agents can create (via MCP or skills). The closest seed touchpoint is ccmemory's MCP server pattern, but ccmemory's MCP tools provide memory/knowledge operations while microsandbox's MCP tools provide execution environment operations. Among the isolation_mechanism values, all seeds use none/git-worktree; microsandbox uses microvm. The distinctive addition is the Agent Skills package (separate repo): unlike other sandbox infrastructure tools, microsandbox explicitly ships skill files for coding agents, bridging the gap between execution substrate and agent instruction layer — though this bridge is in a separate repository.

Positioning Within This Batch

Microsandbox is the local/embeddable microVM option:

  • vs E2B/Daytona: Local-first (no cloud), embedded (no server/daemon), but also no snapshot/restore, no VNC, no web dashboard
  • vs Brood Box: Both use libkrun; brood-box wraps specific named agents with COW review workflow; microsandbox is a general SDK for embedding VMs in any application
  • vs arrakis: Arrakis is self-hosted with REST API + snapshot/restore + VNC; microsandbox is embedded in-process

Distinctive Opinion

A microVM should be spawnable as a child process from any application code, with no infrastructure setup, in under 100ms — making hardware isolation as easy as a library call.

Explicit Antipatterns

  • External server or long-running daemon required for sandbox use
  • Secrets entering the VM image

Observable Failure Modes

  1. Beta status: Breaking changes expected; APIs unstable
  2. Linux/macOS only: KVM or Apple Silicon required; no Windows
  3. First-run latency: Runtime download to ~/.microsandbox/ on first use
  4. No snapshot/restore: Unlike Arrakis and Brood Box, microsandbox does not support VM state snapshots for backtracking
  5. Separate skill repo: Agent skills are in a separate repository (superradcompany/skills), adding an extra install step

Cross-References in This Batch

  • Uses same virtualization backend (libkrun) as Brood Box
  • superradcompany/microsandbox-mcp is a separate companion MCP server repo
  • superradcompany/skills is a separate agent skills repo for Claude Code / Cursor / Codex / Gemini / Copilot integration
04

Workflow

Microsandbox — Workflow

Programmatic Workflow (SDK)

1. Install SDK (cargo add / pip / npm / go get)
2. On first Sandbox.create(): downloads microsandbox runtime to ~/.microsandbox/
3. Build sandbox (Sandbox::builder().image().cpus().memory().create())
4. Execute commands (sandbox.exec())
5. Read results
6. Stop sandbox (sandbox.stop_and_wait())

CLI Workflow

# Quick one-shot execution
msb run python -- python3 -c "print('hello')"

# Named persistent sandbox
msb create --name my-app python
msb exec my-app -- python -c "import this"
msb stop my-app
msb rm my-app

# Install as system command
msb install ubuntu
ubuntu          # opens Ubuntu in microVM

Phases

Phase What Happens Artifact
1. Runtime Init On first use: downloads agentd + libkrunfw to ~/.microsandbox/ ~/.microsandbox/ binaries
2. Image Pull Pull OCI image from registry (cached on subsequent runs) ~/.microsandbox/images/
3. Sandbox Create Boot microVM with libkrun using image Running sandbox (child process)
4. Command Execution agentd inside VM handles exec() calls Command output (stdout/stderr)
5. Stop/Cleanup sandbox.stop_and_wait() stops VM; rm for persistent cleanup (none)

Approval Gates

None. Fully programmatic, no human-in-the-loop gate.

Named vs Ephemeral Sandboxes

  • Ephemeral (SDK default): Sandbox lives while the code using it runs
  • Named (CLI msb create --name): Persistent named sandbox that survives across CLI invocations; can be started/stopped/reused

Long-Running / Detached Mode

Sandboxes support detached mode for long-lived sessions ("Great for long-lived sessions" per README).

06

Memory Context

Microsandbox — Memory & Context

State Model

Microsandbox uses SQLite (crates/db) for internal state — tracking sandbox registry (names, images, status). This is framework metadata, not agent context.

Sandbox Filesystem

Each sandbox has its own isolated filesystem derived from its OCI image. Changes made inside a sandbox persist for its lifetime. When the sandbox is stopped and removed (msb rm), the filesystem is discarded.

Named Sandboxes

Named sandboxes (created with msb create --name) persist across CLI invocations — they can be stopped and restarted, with filesystem state preserved between start/stop cycles. This is the closest microsandbox gets to cross-session persistence.

Runtime Installation Cache

  • ~/.microsandbox/bin/ — msb binary, agentd
  • ~/.microsandbox/lib/ — libkrunfw
  • ~/.microsandbox/images/ — OCI image cache (assumed location)

The first Sandbox.create() call from an SDK application triggers automatic download of the microsandbox runtime to ~/.microsandbox/ if not already installed.

No LLM Context Management

Microsandbox has no mechanism for:

  • LLM context injection
  • Memory compaction
  • Cross-session handoff of agent context
  • Vector storage

It is a pure execution substrate — context management is the responsibility of the application using the SDK.

Secrets Management

Secrets are injected at sandbox startup without entering the VM image — the README claims "Unexploitable secret keys that never enter the VM." The exact mechanism (env var injection at VM boundary, not inside the image) prevents secrets from being accessed via the VM's filesystem.

07

Orchestration

Microsandbox — Orchestration

Multi-Agent Support

Yes — multiple sandboxes can be created concurrently. The SDK is async (Rust/Python/TS all use async/await). The application creates as many sandboxes as needed; there is no built-in coordinator.

Isolation Mechanism

MicroVM (KVM/Hypervisor.framework via libkrun) — same virtualization backend as Brood Box. Hardware-level isolation, not container-based. Each sandbox is a full microVM.

Execution Mode

Embedded on-demand: Sandboxes are spawned as child processes of the calling application. No daemon, no server. The first create() call downloads the runtime if needed, then spawns a VM process.

Named sandboxes (via CLI) support long-running / detached mode.

Orchestration Pattern

None built-in. Applications using the SDK implement their own orchestration.

Multi-Model

No. Microsandbox is model-agnostic.

MCP Integration

The separate microsandbox-mcp package exposes sandbox operations as MCP tools:

  • Sandbox lifecycle (create, start, stop, destroy)
  • Command execution
  • Filesystem access
  • Volume management
  • Monitoring/metrics

Claude Code integration: claude mcp add --transport stdio microsandbox -- npx -y microsandbox-mcp

Agent Skills Integration

The separate superradcompany/skills repo provides skill files for Claude Code, Cursor, Codex, Gemini CLI, and GitHub Copilot to teach those agents how to use microsandbox programmatically. Install: npx skills add superradcompany/skills.

Metrics

Live resource metrics available via msb metrics <name> (CPU/memory/network). Also accessible via SDK.

Git Automation

No. Agents inside sandboxes can run git commands; microsandbox itself does no git automation.

08

Ui Cli Surface

Microsandbox — UI & CLI Surface

CLI Binary

  • Binary name: msb
  • Install: curl -fsSL https://install.microsandbox.dev | sh or npx microsandbox run <image>
  • Is thin wrapper: No — interfaces directly with microsandbox runtime
  • Full command surface (from msb --tree):
    • msb run <image> — one-shot microVM
    • msb create, msb start, msb stop, msb rm — lifecycle
    • msb exec <name> -- <cmd> — execute in sandbox
    • msb ls, msb ps, msb inspect, msb metrics — status/inspection
    • msb pull, msb image ls, msb image rm — image management
    • msb install, msb uninstall — install sandbox as system command

Local UI

None. No web dashboard, no TUI (beyond basic CLI output). The msb metrics command provides live terminal metrics, but it is text-based.

Observability

  • msb ps <name>: Sandbox status
  • msb inspect <name>: Detailed info (IP, port forwards, image, status)
  • msb metrics <name>: Live CPU/memory/network usage
  • SDK: sandbox.exec() returns output.stdout() and output.stderr()

IDE Integration

None directly. The Agent Skills package teaches IDE-integrated coding agents (Claude Code, Cursor, Codex, Gemini CLI, Copilot) how to use the msb CLI programmatically from within their sessions.

Notable: msb install Pattern

msb install ubuntu    # installs as 'ubuntu' system command
ubuntu                # opens Ubuntu in a fresh microVM
msb uninstall ubuntu  # removes it

This makes microsandbox sandboxes feel like native commands — a distinctive UX choice not seen in other sandbox tools.

Related frameworks

same archetype · same primary tool · same memory type

Daytona ★ 72k
A9 Sandbox substrate

Provide secure, elastic, sub-90ms sandbox compute infrastructure for running AI-generated code, accessible via multi-language…

CUA ★ 17k
A9 Sandbox substrate

Unified SDK for building, benchmarking, and deploying agents that interact with full OS GUIs via isolated VMs.

E2B ★ 12k
A9 Sandbox substrate

Run AI-generated code safely in cloud-hosted isolated sandboxes via a 3-line SDK integration.

OpenSandbox ★ 11k
A9 Sandbox substrate

Protocol-first general-purpose sandbox platform for AI applications with multi-language SDKs and pluggable isolation backends.

CubeSandbox ★ 5.9k
A9 Sandbox substrate

Sub-60ms KVM microVM sandboxes for AI agents with E2B drop-in compatibility and <5MB memory overhead.

sandcastle (mattpocock) ★ 5.1k
A9 Sandbox substrate

Container-isolated TypeScript SDK for orchestrating AI coding agents with Docker/Podman/Vercel Firecracker sandboxes and…