NVIDIA's OpenShell Locks Down AI Agents With Google Vertex AI Support

NVIDIA OpenShell is quietly becoming one of the more interesting pieces of infrastructure in the agentic AI stack. It is not a model, a framework, or a fine-tune. It is a runtime: a secure execution layer that sits between an autonomous AI agent and your actual machine, deciding what the agent is and is not allowed to do. Version 0.0.55 is out, and while the changelog is compact, the additions matter for teams running agents against Google Cloud.

What OpenShell actually does

OpenShell is an open-source, secure-by-design runtime that executes autonomous AI agents inside kernel-level sandboxes governed by declarative policy. Agents such as OpenClaw, Claude Code, and Codex run unmodified while OpenShell enforces filesystem, network, and process controls with a full audit trail of every allow and deny decision.

The core insight behind the project is that prompting an agent to behave safely is not enforcement. Writing "don't do that" in the prompt is not sufficient. A prompt is persuasion, not enforcement. OpenShell takes a different approach: placing constraints outside the agent, where the agent cannot reach them. It works by ensuring each agent runs inside its own sandbox, separating application-layer operations from infrastructure-layer policy enforcement. This means security policies are out of reach of the agent -- they are applied at the system level.

It provides sandboxed execution environments that protect your data, credentials, and infrastructure. The CLI auto-discovers credentials for recognized agents (Claude, Codex, OpenCode, Copilot) from your shell environment, or you can create providers explicitly with openshell provider create. Credentials never leak into the sandbox filesystem; they are injected as environment variables at runtime.

The four walls of the sandbox

OpenShell enforces isolation across four independent layers, each governed by a declarative YAML policy:

• Filesystem