--- title: Sandbox CLI summary: "Manage sandbox containers and inspect effective sandbox policy" read_when: "You are managing sandbox containers or debugging sandbox/tool-policy behavior." status: active --- # Sandbox CLI Manage Docker-based sandbox containers for isolated agent execution. ## Overview Moltbot can run agents in isolated Docker containers for security. The `sandbox` commands help you manage these containers, especially after updates or configuration changes. ## Commands ### `moltbot sandbox explain` Inspect the **effective** sandbox mode/scope/workspace access, sandbox tool policy, and elevated gates (with fix-it config key paths). ```bash moltbot sandbox explain moltbot sandbox explain --session agent:main:main moltbot sandbox explain --agent work moltbot sandbox explain --json ``` ### `moltbot sandbox list` List all sandbox containers with their status and configuration. ```bash moltbot sandbox list moltbot sandbox list --browser # List only browser containers moltbot sandbox list --json # JSON output ``` **Output includes:** - Container name and status (running/stopped) - Docker image and whether it matches config - Age (time since creation) - Idle time (time since last use) - Associated session/agent ### `moltbot sandbox recreate` Remove sandbox containers to force recreation with updated images/config. ```bash moltbot sandbox recreate --all # Recreate all containers moltbot sandbox recreate --session main # Specific session moltbot sandbox recreate --agent mybot # Specific agent moltbot sandbox recreate --browser # Only browser containers moltbot sandbox recreate --all --force # Skip confirmation ``` **Options:** - `--all`: Recreate all sandbox containers - `--session `: Recreate container for specific session - `--agent `: Recreate containers for specific agent - `--browser`: Only recreate browser containers - `--force`: Skip confirmation prompt **Important:** Containers are automatically recreated when the agent is next used. ## Use Cases ### After updating Docker images ```bash # Pull new image docker pull moltbot-sandbox:latest docker tag moltbot-sandbox:latest moltbot-sandbox:bookworm-slim # Update config to use new image # Edit config: agents.defaults.sandbox.docker.image (or agents.list[].sandbox.docker.image) # Recreate containers moltbot sandbox recreate --all ``` ### After changing sandbox configuration ```bash # Edit config: agents.defaults.sandbox.* (or agents.list[].sandbox.*) # Recreate to apply new config moltbot sandbox recreate --all ``` ### After changing setupCommand ```bash moltbot sandbox recreate --all # or just one agent: moltbot sandbox recreate --agent family ``` ### For a specific agent only ```bash # Update only one agent's containers moltbot sandbox recreate --agent alfred ``` ## Why is this needed? **Problem:** When you update sandbox Docker images or configuration: - Existing containers continue running with old settings - Containers are only pruned after 24h of inactivity - Regularly-used agents keep old containers running indefinitely **Solution:** Use `moltbot sandbox recreate` to force removal of old containers. They'll be recreated automatically with current settings when next needed. Tip: prefer `moltbot sandbox recreate` over manual `docker rm`. It uses the Gateway’s container naming and avoids mismatches when scope/session keys change. ## Configuration Sandbox settings live in `~/.clawdbot/moltbot.json` under `agents.defaults.sandbox` (per-agent overrides go in `agents.list[].sandbox`): ```jsonc { "agents": { "defaults": { "sandbox": { "mode": "all", // off, non-main, all "scope": "agent", // session, agent, shared "docker": { "image": "moltbot-sandbox:bookworm-slim", "containerPrefix": "moltbot-sbx-" // ... more Docker options }, "prune": { "idleHours": 24, // Auto-prune after 24h idle "maxAgeDays": 7 // Auto-prune after 7 days } } } } } ``` ## See Also - [Sandbox Documentation](/gateway/sandboxing) - [Agent Configuration](/concepts/agent-workspace) - [Doctor Command](/gateway/doctor) - Check sandbox setup