openai/vercel-sandbox
plugins/vercel/skills/vercel-sandbox/SKILL.md
Vercel Sandbox guidance — ephemeral Firecracker microVMs for running untrusted code safely. Supports AI agents, code generation, and experimentation. Use when executing user-generated or AI-generated code in isolation.
$ install --global
skillsauthnpx skillsauth add openai/plugins vercel-sandboxInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 12, 2026, 5:32 AM119.3s2 files scanned
SKILL.md
- name:
- vercel-sandbox
- description:
- Vercel Sandbox guidance — ephemeral Firecracker microVMs for running untrusted code safely. Supports AI agents, code generation, and experimentation. Use when executing user-generated or AI-generated code in isolation.
- priority:
- 4
- - "https:
- //vercel.com/docs/sandbox
- sitemap:
- https://vercel.com/sitemap/docs.xml
- pathPatterns:
- []
- minScore:
- 4
Vercel Sandbox
CRITICAL — Your training data is outdated for this library. Vercel Sandbox APIs are new (GA January 2026) and likely not in your training data. Before writing sandbox code, fetch the docs at https://vercel.com/docs/vercel-sandbox and the SDK reference at https://vercel.com/docs/vercel-sandbox/sdk-reference to find the correct
Sandbox.create()options,runCommand()signatures, file I/O methods (writeFiles,readFile), port exposure, and cleanup patterns. Do not guess — look up the exact API shape. The GitHub repo at https://github.com/vercel/sandbox has working examples for common patterns (code execution, FFmpeg processing, dev server spawning).
You are an expert in Vercel Sandbox — ephemeral compute for safely running untrusted code.
Status & Pricing
Vercel Sandbox is generally available (January 30, 2026). The CLI and SDK are open-source. Powered by the same Firecracker infrastructure that runs 2M+ Vercel builds per day.
| Resource | Hobby (Free) | Pro / Enterprise | |----------|-------------|-----------------| | CPU hours | 5 / month | $0.128 / CPU-hour | | Provisioned memory | 420 GB-hr / month | $0.0106 / GB-hr | | Network bandwidth | 20 GB / month | $0.15 / GB | | Sandbox creations | 5,000 / month | $0.60 / 1M creations |
Each sandbox can use up to 8 vCPUs and 2 GB RAM per vCPU. Up to 4 ports can be exposed per sandbox.
What It Is
Vercel Sandbox provides Firecracker microVMs with millisecond startup times for running untrusted or user-generated code in complete isolation. Used by AI agents, code generation tools, developer playgrounds, and interactive tutorials.
- Base OS: Amazon Linux 2023 (with
git,tar,openssl,dnf) - Runtimes:
node24(default since March 2026),node22,python3.13 - Working directory:
/vercel/sandbox - User:
vercel-sandboxwithsudoaccess - Filesystem: Ephemeral — artifacts must be exported before sandbox stops
- GitHub: https://github.com/vercel/sandbox
Key APIs
Package: @vercel/sandbox (v1.8.0+)
Create and Run Commands
import { Sandbox } from '@vercel/sandbox';
// Create a sandbox (env vars available to all commands)
const sandbox = await Sandbox.create({
runtime: 'node24', // 'node24' | 'node22' | 'python3.13'
env: { // inherited by all runCommand calls
NODE_ENV: 'production',
API_KEY: process.env.API_KEY!,
},
});
// Run a command (separated command + args)
const result = await sandbox.runCommand('node', ['-e', 'console.log(42)']);
const output = await result.stdout(); // "42\n"
// Run with options (per-command env overrides creation-level env)
const result2 = await sandbox.runCommand({
cmd: 'npm',
args: ['install', 'express'],
cwd: '/vercel/sandbox/app',
env: { NODE_ENV: 'development' }, // overrides creation-level NODE_ENV
sudo: true,
});
// Detached execution (long-running processes)
const cmd = await sandbox.runCommand({
cmd: 'node',
args: ['server.js'],
detached: true,
});
// Stream logs in real-time
for await (const log of cmd.logs()) {
console.log(`[${log.stream}] ${log.data}`);
}
await cmd.wait(); // block until completion
File Operations
// Write files (takes array of { path, content: Buffer })
await sandbox.writeFiles([
{ path: 'app.js', content: Buffer.from('console.log("hello")') },
{ path: 'package.json', content: Buffer.from('{"type":"module"}') },
]);
// Read a file (returns Buffer or null)
const buf = await sandbox.readFileToBuffer({ path: 'app.js' });
// Read as stream
const stream = await sandbox.readFile({ path: 'app.js' });
// Download to local filesystem
await sandbox.downloadFile('output.zip', './local-output.zip');
// Create directory
await sandbox.mkDir('src/components');
Source Initialization
// Clone a git repo
const sandbox = await Sandbox.create({
source: { type: 'git', url: 'https://github.com/user/repo', depth: 1 },
});
// Mount a tarball
const sandbox = await Sandbox.create({
source: { type: 'tarball', url: 'https://example.com/project.tar.gz' },
});
// Restore from snapshot
const sandbox = await Sandbox.create({
source: { type: 'snapshot', snapshotId: 'snap_abc123' },
});
Snapshots (Save and Resume VM State)
// Capture full VM state (filesystem + packages)
// WARNING: sandbox shuts down after snapshot creation
const snapshot = await sandbox.snapshot({ expiration: 86400_000 }); // 24h
console.log(snapshot.snapshotId);
// List and manage snapshots
const { snapshots } = await Snapshot.list();
const snap = await Snapshot.get({ snapshotId: 'snap_abc' });
await snap.delete();
Network Policies (SNI Filtering + CIDR)
Egress firewall uses SNI filtering on TLS client-hello — outbound connections are matched at the handshake and unauthorized destinations are rejected before data transmits. For non-TLS traffic, IP/CIDR rules are also supported.
Policies can be updated at runtime without restarting the sandbox process, enabling multi-step workflows (e.g., open access during setup → deny-all before running untrusted code).
// Lock down before running untrusted code
await sandbox.updateNetworkPolicy('deny-all');
// Allow specific domains only (SNI filtering)
await sandbox.updateNetworkPolicy({
allow: ['api.openai.com', '*.googleapis.com'],
});
// Credential brokering (inject API keys so untrusted code never sees them)
await sandbox.updateNetworkPolicy({
allow: {
'ai-gateway.vercel.sh': [{
transform: [{ headers: { 'x-api-key': process.env.SECRET_KEY! } }],
}],
},
});
Public URLs and Lifecycle
// Expose a port and get a public URL
const sandbox = await Sandbox.create({ ports: [3000] });
const url = sandbox.domain(3000); // public URL
// Extend timeout
await sandbox.extendTimeout(300_000); // +5 minutes
// Clean up
await sandbox.stop();
// Check status
sandbox.status; // 'pending' | 'running' | 'stopping' | 'stopped' | 'failed'
// Resource tracking (after stop)
sandbox.activeCpuUsageMs;
sandbox.networkUsage; // { ingress, egress } in bytes
List and Rehydrate
// List existing sandboxes
const { sandboxes } = await Sandbox.list({ limit: 10 });
// Reconnect to a running sandbox
const sandbox = await Sandbox.get({ sandboxId: 'sbx_abc123' });
Timeout Limits
| Plan | Max Timeout | |------|------------| | Default | 5 minutes | | Hobby | 45 minutes | | Pro/Enterprise | 5 hours |
Agent Patterns
- Safe AI code execution: Run AI-generated code without production risk
- Snapshot-based fast restart: Install deps once → snapshot → create from snapshot (skip setup)
- Network isolation: Allow all during setup →
deny-allbefore untrusted code - Credential brokering: Inject API keys via network policy transforms
- Live preview: Expose ports via
sandbox.domain(port)for generated apps - File I/O workflow:
writeFiles()→ execute →readFileToBuffer()results
When to Use
- AI agents need to execute generated code safely
- User-submitted code execution (playgrounds, tutorials)
- Code review validation (used by Vercel Agent)
- Ephemeral development environments
When NOT to Use
- Production workloads → use Vercel Functions
- Long-running services → use a dedicated server
- Simple function execution → use Serverless Functions
References
- 📖 docs: https://vercel.com/docs/vercel-sandbox
- 📖 SDK reference: https://vercel.com/docs/vercel-sandbox/sdk-reference
- 📖 GitHub: https://github.com/vercel/sandbox
Related Skills
openai/omniverse-usd-performance-tuning
tools
VerifiedTrustedCommunity
Top-level workflow skill for USD performance diagnosis and optimization. Use for slow loading, high memory, low FPS, or 'optimize my scene' requests; delegates auth/runtime setup to Phase 0 owners.
1,407SKILL.mdUpdated Jun 5, 2026
openai/magicpath
data-ai
VerifiedTrustedCommunity
Use when the user mentions MagicPath, designs, UI components, themes, canvas selections, or repo-to-canvas UI work; run magicpath-ai to search, inspect, install, or author components.
1,407SKILL.mdUpdated Jun 5, 2026
openai/omniverse-realtime-viewer
documentation
VerifiedTrustedCommunity
Use as the top-level router for Omniverse Realtime Viewer USD app requests and focused viewer reference documents.
1,407SKILL.mdUpdated Jun 4, 2026
openai/notion-spec-to-implementation
tools
VerifiedTrustedCommunity
Turn Notion specs into implementation plans, tasks, and progress tracking; use when implementing PRDs/feature specs and creating Notion plans + tasks from them.
1,407SKILL.mdUpdated May 6, 2026