- Open-source, YC-backed microsandbox spins up libkrun-based microVMs from Python or TypeScript in milliseconds.
- No daemon, no cloud, no Kubernetes — just a real Linux kernel per agent, locally.
TL;DR
Microsandbox is an open-source toolkit from SuperRad Company (YC-backed, Apache 2.0) that lets AI agents spawn their own libkrun microVMs in under 100 ms — directly from Python, TypeScript, or Rust code. No persistent daemon. No Kubernetes. No cloud bill. Each sandbox gets its own Linux kernel, runs any OCI image, and enforces a zero-exfiltration secret model. Version 0.3.14 shipped April 18, 2026. 5.7k GitHub stars, and climbing fast.
What's new
On April 16, 2026, the GithubProjects account surfaced microsandbox as the sandbox runtime most likely to eat Docker's lunch for agent workloads. The pitch is blunt: every agent deserves its own computer.
Unlike managed platforms such as E2B or Vercel Sandbox, microsandbox runs locally. You npm i microsandbox (or uv add microsandbox), call Sandbox.builder("python").create(), and a hardware-isolated microVM boots as a child process of your app. Shut your laptop — the sandbox is gone. No daemon lingers.
Why it matters
AI agents increasingly execute untrusted, LLM-generated code: shell commands, pip installs, filesystem writes, network calls. Docker containers share the host kernel — one namespace escape ruins the weekend. Cloud sandbox APIs cost money per sandbox-minute and leak data boundaries. Microsandbox collapses the trilemma: real VM isolation, free, and local.
The other quiet win is the no-daemon architecture. Docker, Podman, and most container runtimes need a long-running root service. That's fine on a server, painful on a laptop, and a non-starter when an agent framework wants to ship a single binary to end users. Microsandbox's SDK-first model means the application is the orchestrator — boot a VM, hand the agent a shell, drop the VM when the task is done, no background process ever touched.
Technical facts
- Isolation: libkrun-powered microVM. Each sandbox gets its own Linux kernel and memory space — not a namespace, not a cgroup.
- Boot time: under 100 ms on average after the first image pull (OCI images cached locally).
- Rootless & daemonless: sandboxes spawn as child processes of the caller. Nothing to install as root, nothing to keep running.
- OCI-compatible: pull any Docker Hub, GHCR, ECR, or GCR image. No custom image format.
- Secret firewall: credentials never enter the VM. The runtime swaps random placeholders for real secrets only on outbound calls to allowlisted hosts — so even full RCE inside the sandbox reveals nothing.
- Network policies: programmable allowlist/blocklist per sandbox.
- Language SDKs: Python, TypeScript, Rust — API-consistent across all three.
- Platforms: Linux with KVM, or macOS on Apple Silicon.
- License: Apache 2.0.
Comparison
| Property | Microsandbox | E2B | Vercel Sandbox |
|---|---|---|---|
| Isolation | libkrun microVM | Firecracker microVM | Firecracker microVM |
| Boot time | <100 ms | ~150 ms | Few seconds |
| Deploy model | Local / self-host | Managed SaaS | Managed (Vercel) |
| Session limit | Unlimited | 1h Hobby / 24h Pro | ~45 min |
| Price | Free (Apache 2.0) | Usage-based | Usage-based |
| Setup | One-line install + SDK | Account + API key | Vercel account |
The distinction is philosophical: E2B and Vercel sell managed sandbox infra; microsandbox hands you the primitive and gets out of the way.
Use cases
- Local AI coding agents. Claude Code, Cursor, Codex, GitHub Copilot — ships with Agent Skills (
npx skills add superradcompany/skills) and an MCP server (microsandbox-mcp) so agents get structured tool calls for sandbox lifecycle and filesystem access out of the box. - Per-agent isolated compute. Give every autonomous agent its own VM for browser automation, package installs, or file ops — zero cross-contamination.
- Offline & air-gapped workflows. Run untrusted LLM output without shipping prompts or generated code to a third-party sandbox vendor.
- Short-lived CI tasks. Spin up a VM, run the test, tear it down — all sub-second.
Limitations & pricing
The README is upfront: this is beta software. Expect breaking changes and rough edges. Runtime is Linux-with-KVM or macOS Apple Silicon only — no Windows, no Intel Mac. There's no hosted offering, so teams needing an SLA still reach for E2B or Vercel Sandbox. Several headline roadmap items — snapshot/fork/restore (copy-on-write forking), peer-spawned sandboxes, a plugin system, bidirectional guest-host events — are listed as coming soon, not yet shipped.
Price: free. Apache 2.0. No tiers, no quotas.
What's next
26 releases in, SuperRad Company is pushing steady weekly cadence. The roadmap — especially CoW-forking for sub-millisecond spawn and sandbox-in-sandbox nesting — tracks closely with what multi-agent research stacks are begging for. If they ship it, microsandbox becomes the default local substrate for every agent framework that today bolts onto Docker.
Sources: github.com/superradcompany/microsandbox, docs.microsandbox.dev, Northflank sandbox comparison.
