OpenShell is NVIDIA's container-based sandbox for restricting AI agent behavior. It isolates agents in Kubernetes (K3s) pods and routes all network traffic through an HTTP CONNECT proxy that can inspect and enforce at the HTTP method/path level (L7). It also provides credential isolation — agents never see real API keys. However, OpenShell requires Docker + K3s infrastructure, has no real-time file monitoring or audit trail, no interactive approval workflows, and is currently in alpha (single-player mode only). Guardian Shell takes a fundamentally different approach: kernel-level enforcement via eBPF, Landlock, and seccomp with full visibility into every syscall.
Feature Comparison
| Feature | Guardian Shell | OpenShell |
|---|---|---|
| Cgroup-based agent isolation | Guardian Launcher (default) | K3s pods |
| eBPF-based monitoring | ✓ | ✕ |
| Kernel-level file enforcement | Landlock + LSM BPF | Landlock (silent) |
| Network enforcement level | L4 (port-based) | L4 + L7 (HTTP method/path) |
| Credential isolation | ✕ | Proxy-based substitution |
| Real-time file audit trail | ✓ | ✕ |
| Interactive approval workflow | ✓ | ✕ |
| Temporary access grants | ✓ | ✕ |
| Anomaly detection | ✓ | ✕ |
| Web dashboard | ✓ | ✕ |
| Alerting (Slack, email, webhooks) | ✓ | ✕ |
| Cross-platform support | Linux only | Linux, macOS, Windows |
| Infrastructure requirements | Single binary | Docker + K3s |
| Startup time | Milliseconds | Seconds (pod scheduling) |
| CSRF protection | ✓ | ✕ |
| Privilege dropping | Automatic after setup | Container isolation |
| read_only file policies | ✓ | ✕ |
| CPU overhead | < 3% | Significant per sandbox |
| Policy language | TOML | OPA/Rego |
| Maturity | Production-ready | Alpha |
Why Choose Guardian Shell
- ✓Cgroup-based agent isolation with four defense layers (cgroup + Landlock + seccomp + eBPF) — no container runtime required
- ✓Real-time file access monitoring and audit trail — OpenShell's Landlock is silent with no event stream
- ✓Interactive approval workflows — humans approve sensitive access in real time; OpenShell requires all policy predefined
- ✓Lightweight single binary (~10MB) with millisecond startup — OpenShell needs Docker + K3s with multi-second pod scheduling
- ✓Behavioral anomaly detection — flags rubber-stamping approvals, high-volume agents, and persistence attack patterns
- ✓Built-in web dashboard, Slack/email/webhook alerts, and Prometheus metrics — OpenShell has no alerting system
- ✓Simple TOML configuration — no Kubernetes CRDs, OPA/Rego policy files, or container orchestration
The Verdict
OpenShell and Guardian Shell solve the same problem from opposite directions. OpenShell excels at network-level control — its L7 HTTP proxy can distinguish GET from POST on the same endpoint, and its credential isolation ensures agents never possess real API keys. For teams needing strict network policy and cross-platform support, OpenShell offers capabilities Guardian Shell doesn't. But OpenShell trades visibility for isolation: there's no file access audit trail, no interactive approvals, no anomaly detection, and no alerting. Guardian Shell provides the kernel-level visibility and enforcement that OpenShell lacks — real-time monitoring of every file access, interactive human-in-the-loop approvals, and behavioral anomaly detection, all in a lightweight single binary. For the strongest security posture, the two tools are complementary: Guardian Shell's eBPF monitoring inside an OpenShell sandbox provides both kernel-level visibility and container-level network isolation.