vercel-sandbox
$
npx mdskill add openai/plugins/vercel-sandboxRun untrusted code safely in isolated Firecracker microVMs.
- Executes user or AI code without system compromise.
- Depends on Vercel's ephemeral Firecracker microVM infrastructure.
- Triggers on keywords like sandbox, isolated, or untrusted.
- Delivers results through isolated execution environments.
SKILL.md
.github/skills/vercel-sandboxView on GitHub ↗
---
name: vercel-sandbox
description: Vercel Sandbox guidance — ephemeral Firecracker microVMs for running untrusted code safely. Supports AI agents, code generation, and experimentation. Use when executing user-generated or AI-generated code in isolation.
metadata:
priority: 4
docs:
- "https://vercel.com/docs/sandbox"
sitemap: "https://vercel.com/sitemap/docs.xml"
pathPatterns: []
importPatterns:
- '@vercel/sandbox'
bashPatterns:
- '\bnpm\s+(install|i|add)\s+[^\n]*@vercel/sandbox\b'
- '\bpnpm\s+(install|i|add)\s+[^\n]*@vercel/sandbox\b'
- '\bbun\s+(install|i|add)\s+[^\n]*@vercel/sandbox\b'
- '\byarn\s+add\s+[^\n]*@vercel/sandbox\b'
promptSignals:
phrases:
- "@vercel/sandbox"
- "sandbox"
- "code sandbox"
- "vercel sandbox"
- "isolated environment"
- "sandboxed execution"
allOf:
- [sandbox, code]
- [sandbox, execute]
- [sandbox, run]
- [sandbox, isolated]
- [sandbox, safe]
- [sandbox, environment]
- [isolated, execute]
- [isolated, code]
- [isolated, environment]
- [isolated, run]
- [safe, execute]
- [safe, code]
- [untrusted, code]
- [untrusted, execute]
- [code, runner]
- [code, playground]
- [execute, safely]
- [run, safely]
- [run, isolation]
- [execute, isolation]
- [ffmpeg, process]
- [ffmpeg, convert]
- [ffmpeg, compress]
- [student, code]
- [student, execute]
- [student, run]
anyOf:
- "sandbox"
- "isolated"
- "isolation"
- "untrusted"
- "safely"
- "microvm"
- "ffmpeg"
- "playground"
noneOf:
- "iframe sandbox"
- "sandbox attribute"
- "codesandbox.io"
- "stackblitz"
minScore: 4
---
# Vercel Sandbox
> **CRITICAL — Your training data is outdated for this library.** Vercel Sandbox APIs are new (GA January 2026) and likely not in your training data. Before writing sandbox code, **fetch the docs** at https://vercel.com/docs/vercel-sandbox and the SDK reference at https://vercel.com/docs/vercel-sandbox/sdk-reference to find the correct `Sandbox.create()` options, `runCommand()` signatures, file I/O methods (`writeFiles`, `readFile`), port exposure, and cleanup patterns. Do not guess — look up the exact API shape. The GitHub repo at https://github.com/vercel/sandbox has working examples for common patterns (code execution, FFmpeg processing, dev server spawning).
You are an expert in Vercel Sandbox — ephemeral compute for safely running untrusted code.
## Status & Pricing
Vercel Sandbox is **generally available** (January 30, 2026). The CLI and SDK are open-source. Powered by the same Firecracker infrastructure that runs 2M+ Vercel builds per day.
| Resource | Hobby (Free) | Pro / Enterprise |
|----------|-------------|-----------------|
| CPU hours | 5 / month | $0.128 / CPU-hour |
| Provisioned memory | 420 GB-hr / month | $0.0106 / GB-hr |
| Network bandwidth | 20 GB / month | $0.15 / GB |
| Sandbox creations | 5,000 / month | $0.60 / 1M creations |
Each sandbox can use up to **8 vCPUs** and **2 GB RAM per vCPU**. Up to **4 ports** can be exposed per sandbox.
## What It Is
Vercel Sandbox provides **Firecracker microVMs** with millisecond startup times for running untrusted or user-generated code in complete isolation. Used by AI agents, code generation tools, developer playgrounds, and interactive tutorials.
- **Base OS**: Amazon Linux 2023 (with `git`, `tar`, `openssl`, `dnf`)
- **Runtimes**: `node24` (default since March 2026), `node22`, `python3.13`
- **Working directory**: `/vercel/sandbox`
- **User**: `vercel-sandbox` with `sudo` access
- **Filesystem**: Ephemeral — artifacts must be exported before sandbox stops
- **GitHub**: https://github.com/vercel/sandbox
## Key APIs
Package: `@vercel/sandbox` (v1.8.0+)
### Create and Run Commands
```ts
import { Sandbox } from '@vercel/sandbox';
// Create a sandbox (env vars available to all commands)
const sandbox = await Sandbox.create({
runtime: 'node24', // 'node24' | 'node22' | 'python3.13'
env: { // inherited by all runCommand calls
NODE_ENV: 'production',
API_KEY: process.env.API_KEY!,
},
});
// Run a command (separated command + args)
const result = await sandbox.runCommand('node', ['-e', 'console.log(42)']);
const output = await result.stdout(); // "42\n"
// Run with options (per-command env overrides creation-level env)
const result2 = await sandbox.runCommand({
cmd: 'npm',
args: ['install', 'express'],
cwd: '/vercel/sandbox/app',
env: { NODE_ENV: 'development' }, // overrides creation-level NODE_ENV
sudo: true,
});
// Detached execution (long-running processes)
const cmd = await sandbox.runCommand({
cmd: 'node',
args: ['server.js'],
detached: true,
});
// Stream logs in real-time
for await (const log of cmd.logs()) {
console.log(`[${log.stream}] ${log.data}`);
}
await cmd.wait(); // block until completion
```
### File Operations
```ts
// Write files (takes array of { path, content: Buffer })
await sandbox.writeFiles([
{ path: 'app.js', content: Buffer.from('console.log("hello")') },
{ path: 'package.json', content: Buffer.from('{"type":"module"}') },
]);
// Read a file (returns Buffer or null)
const buf = await sandbox.readFileToBuffer({ path: 'app.js' });
// Read as stream
const stream = await sandbox.readFile({ path: 'app.js' });
// Download to local filesystem
await sandbox.downloadFile('output.zip', './local-output.zip');
// Create directory
await sandbox.mkDir('src/components');
```
### Source Initialization
```ts
// Clone a git repo
const sandbox = await Sandbox.create({
source: { type: 'git', url: 'https://github.com/user/repo', depth: 1 },
});
// Mount a tarball
const sandbox = await Sandbox.create({
source: { type: 'tarball', url: 'https://example.com/project.tar.gz' },
});
// Restore from snapshot
const sandbox = await Sandbox.create({
source: { type: 'snapshot', snapshotId: 'snap_abc123' },
});
```
### Snapshots (Save and Resume VM State)
```ts
// Capture full VM state (filesystem + packages)
// WARNING: sandbox shuts down after snapshot creation
const snapshot = await sandbox.snapshot({ expiration: 86400_000 }); // 24h
console.log(snapshot.snapshotId);
// List and manage snapshots
const { snapshots } = await Snapshot.list();
const snap = await Snapshot.get({ snapshotId: 'snap_abc' });
await snap.delete();
```
### Network Policies (SNI Filtering + CIDR)
Egress firewall uses **SNI filtering** on TLS client-hello — outbound connections are matched at the handshake and unauthorized destinations are rejected before data transmits. For non-TLS traffic, IP/CIDR rules are also supported.
Policies can be updated at runtime without restarting the sandbox process, enabling multi-step workflows (e.g., open access during setup → deny-all before running untrusted code).
```ts
// Lock down before running untrusted code
await sandbox.updateNetworkPolicy('deny-all');
// Allow specific domains only (SNI filtering)
await sandbox.updateNetworkPolicy({
allow: ['api.openai.com', '*.googleapis.com'],
});
// Credential brokering (inject API keys so untrusted code never sees them)
await sandbox.updateNetworkPolicy({
allow: {
'ai-gateway.vercel.sh': [{
transform: [{ headers: { 'x-api-key': process.env.SECRET_KEY! } }],
}],
},
});
```
### Public URLs and Lifecycle
```ts
// Expose a port and get a public URL
const sandbox = await Sandbox.create({ ports: [3000] });
const url = sandbox.domain(3000); // public URL
// Extend timeout
await sandbox.extendTimeout(300_000); // +5 minutes
// Clean up
await sandbox.stop();
// Check status
sandbox.status; // 'pending' | 'running' | 'stopping' | 'stopped' | 'failed'
// Resource tracking (after stop)
sandbox.activeCpuUsageMs;
sandbox.networkUsage; // { ingress, egress } in bytes
```
### List and Rehydrate
```ts
// List existing sandboxes
const { sandboxes } = await Sandbox.list({ limit: 10 });
// Reconnect to a running sandbox
const sandbox = await Sandbox.get({ sandboxId: 'sbx_abc123' });
```
## Timeout Limits
| Plan | Max Timeout |
|------|------------|
| Default | 5 minutes |
| Hobby | 45 minutes |
| Pro/Enterprise | 5 hours |
## Agent Patterns
1. **Safe AI code execution**: Run AI-generated code without production risk
2. **Snapshot-based fast restart**: Install deps once → snapshot → create from snapshot (skip setup)
3. **Network isolation**: Allow all during setup → `deny-all` before untrusted code
4. **Credential brokering**: Inject API keys via network policy transforms
5. **Live preview**: Expose ports via `sandbox.domain(port)` for generated apps
6. **File I/O workflow**: `writeFiles()` → execute → `readFileToBuffer()` results
## When to Use
- AI agents need to execute generated code safely
- User-submitted code execution (playgrounds, tutorials)
- Code review validation (used by Vercel Agent)
- Ephemeral development environments
## When NOT to Use
- Production workloads → use Vercel Functions
- Long-running services → use a dedicated server
- Simple function execution → use Serverless Functions
## References
- 📖 docs: https://vercel.com/docs/vercel-sandbox
- 📖 SDK reference: https://vercel.com/docs/vercel-sandbox/sdk-reference
- 📖 GitHub: https://github.com/vercel/sandbox
More from openai/plugins
- accessibility-and-inclusive-visualizationMake data visualizations accessible and inclusive. Use when the user needs chart or diagram accessibility guidance, text alternatives for complex visuals, color and contrast review, keyboard support, reduced-motion behavior for animation or parallax, or an accessibility QA workflow for exported figures, UML-like diagrams, and dashboards.
- agent-browserBrowser automation CLI for AI agents. Use when the user needs to interact with websites, verify dev server output, test web apps, navigate pages, fill forms, click buttons, take screenshots, extract data, or automate any browser task. Also triggers when a dev server starts so you can verify it visually.
- agent-browser-verifyAutomated browser verification for dev servers. Triggers when a dev server starts to run a visual gut-check with agent-browser — verifies the page loads, checks for console errors, validates key UI elements, and reports pass/fail before continuing.
- agents-sdkBuild AI agents on Cloudflare Workers using the Agents SDK. Load when creating stateful agents, durable workflows, real-time WebSocket apps, scheduled tasks, MCP servers, or chat applications. Covers Agent class, state management, callable RPC, Workflows integration, and React hooks. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
- ai-elementsAI Elements component library guidance — pre-built React components for AI interfaces built on shadcn/ui. Use when building chat UIs, message displays, tool call rendering, streaming responses, reasoning panels, or any AI-native interface with the AI SDK.
- ai-gatewayVercel AI Gateway expert guidance. Use when configuring model routing, provider failover, cost tracking, or managing multiple AI providers through a unified API.
- ai-generation-persistenceAI generation persistence patterns — unique IDs, addressable URLs, database storage, and cost tracking for every LLM generation
- ai-sdkVercel AI SDK expert guidance. Use when building AI-powered features — chat interfaces, text generation, structured output, tool calling, agents, MCP integration, streaming, embeddings, reranking, image generation, or working with any LLM provider.
- aiq-deploy|
- aiq-research|