openclaw-skill/openclaw-knowhow-skill/docs/reference/cli/sandbox.md

sandbox

openclaw sandbox

Manage Docker-based isolated containers for secure agent execution.

Overview

The OpenClaw sandbox system manages Docker-based isolated containers for secure agent execution. The CLI provides tools to inspect, list, and recreate these containers when configurations or images change.

Key Commands

openclaw sandbox explain displays effective sandbox settings, including mode, scope, workspace access, and tool policies with relevant configuration paths.

openclaw sandbox list enumerates all sandbox containers, showing their operational status, Docker image details, creation time, idle duration, and associated session/agent information.

openclaw sandbox recreate forcefully removes containers to trigger fresh initialization with current images and configurations. Supports filtering by session, agent, or container type.

Examples

openclaw sandbox explain
openclaw sandbox list
openclaw sandbox recreate
openclaw sandbox recreate --session <id>
openclaw sandbox recreate --agent <id>

Primary Use Cases

After updating Docker images or modifying sandbox configuration settings, the recreate command ensures containers reflect these changes rather than persisting with outdated configurations. This addresses a core issue: existing containers continue running with old settings while the system waits up to 24 hours for automatic pruning.

Configuration Location

Sandbox settings reside in ~/.openclaw/openclaw.json under agents.defaults.sandbox, with per-agent overrides available in agents.list[].sandbox. Key parameters include:

• Execution mode (off/non-main/all)
• Scope level (session/agent/shared)
• Docker image specification
• Pruning thresholds

Related Resources

See additional documentation covering broader sandboxing concepts, agent workspace configuration, and the doctor command for sandbox diagnostics verification.