# sandbox

# `openclaw sandbox`

Manage Docker-based isolated containers for secure agent execution.

## Overview

The OpenClaw sandbox system manages Docker-based isolated containers for secure agent execution. The CLI provides tools to inspect, list, and recreate these containers when configurations or images change.

## Key Commands

**`openclaw sandbox explain`** displays effective sandbox settings, including mode, scope, workspace access, and tool policies with relevant configuration paths.

**`openclaw sandbox list`** enumerates all sandbox containers, showing their operational status, Docker image details, creation time, idle duration, and associated session/agent information.

**`openclaw sandbox recreate`** forcefully removes containers to trigger fresh initialization with current images and configurations. Supports filtering by session, agent, or container type.

## Examples

```bash
openclaw sandbox explain
openclaw sandbox list
openclaw sandbox recreate
openclaw sandbox recreate --session <id>
openclaw sandbox recreate --agent <id>
```

## Primary Use Cases

After updating Docker images or modifying sandbox configuration settings, the recreate command ensures containers reflect these changes rather than persisting with outdated configurations. This addresses a core issue: existing containers continue running with old settings while the system waits up to 24 hours for automatic pruning.

## Configuration Location

Sandbox settings reside in `~/.openclaw/openclaw.json` under `agents.defaults.sandbox`, with per-agent overrides available in `agents.list[].sandbox`. Key parameters include:

* Execution mode (off/non-main/all)
* Scope level (session/agent/shared)
* Docker image specification
* Pruning thresholds

## Related Resources

See additional documentation covering broader sandboxing concepts, agent workspace configuration, and the doctor command for sandbox diagnostics verification.