Skip to main content
declaw sandbox (alias declaw sb) is the core command group for working with sandboxes. Global flags (--api-key, --domain, --json) apply to every subcommand.

create

Create a new sandbox.
declaw sandbox create --template python --timeout 600 --env OPENAI_API_KEY

Core flags

FlagShortDefaultDescription
--template-tbaseTemplate to boot from
--timeout300Lifetime in seconds before automatic destruction
--env-eEnv var KEY=VALUE, or bare KEY to forward the value from your shell. Repeatable
--vault-refVault-backed env ENV_VAR=secret-name. The VM gets a placeholder; the real secret is injected at the egress proxy. Repeatable
--metadataArbitrary KEY=VALUE metadata. Repeatable
--volumeAttach a volume: VOLUME_ID:MOUNT_PATH[:MODE[:SUBPATH]]. MODE is copy (default), mount, or mount-ro; SUBPATH is live-mount only. Repeatable
--securetrueEnable the security pipeline

Security policy flags

These compose into a single security policy applied to the sandbox. See Security overview for the concepts behind them.
FlagDefaultDescription
--injection-domainRestrict prompt-injection scanning to these egress hosts (exact, *.suffix, or ~regex). With no hosts listed, no scanning runs. Repeatable
--injection-fullfalseEnable the full prompt-injection defense cascade
--injection-modebalancedDetection posture: strict, balanced, permissive, agentic-tool, or data-egress-sensitive
--injection-policyNatural-language description of allowed agent behavior
--injection-always-judgefalseRun the deeper judge on every outbound request
--content-gate-domainsEnable the content gate and restrict it to these hosts
--opa-policyPath to a .rego file to apply as an inline policy
--opa-policy-modulePath to a .rego file added as an independent module. Repeatable
--opa-policy-refPre-published bundle ref: name@version, sha256:<hex>, or blob:<key>
--opa-fail-closedfalseDeny requests if the policy evaluator is unreachable (default is fail-open)

list

List your sandboxes (alias ls).
declaw sandbox list --state live --limit 20
FlagDefaultDescription
--stateFilter by state: live, paused, or killed
--limit0Maximum rows to return
--offset0Pagination offset

info

Show details for one sandbox (ID, template, state, name, start/end time, metadata).
declaw sandbox info sbx-abc123

kill

Destroy one or more sandboxes.
declaw sandbox kill sbx-abc123
declaw sandbox kill sbx-abc123 sbx-def456   # kill several at once

pause / resume

Pause a running sandbox (freeing compute) and resume it later from where it left off.
declaw sandbox pause sbx-abc123
declaw sandbox resume sbx-abc123

exec

Run a command inside a sandbox. Use -- to separate the command from CLI flags. Output streams live; the command’s exit code is propagated.
declaw sandbox exec sbx-abc123 -- python3 -c "print('hello')"
FlagShortDefaultDescription
--cwdWorking directory for the command
--userUser to run as
--timeout60Command timeout in seconds
--env-eEnv var KEY=VALUE for this command. Repeatable
With --json, output is buffered and printed as {exit_code, stdout, stderr}.

connect

Open an interactive terminal (PTY) into a sandbox, sized to your local terminal and resized on window changes. Disconnect with Ctrl-D or exit.
declaw sandbox connect sbx-abc123

files

Transfer and list files in a running sandbox.
declaw sandbox files ls sbx-abc123 /workspace
declaw sandbox files read sbx-abc123 /workspace/out.txt --output ./out.txt
declaw sandbox files write sbx-abc123 /workspace/in.csv ./local.csv
SubcommandArgsNotes
files ls <sandbox-id> <path>sandbox + directoryLists entries with type and size
files read <sandbox-id> <path>sandbox + remote pathPrints to stdout, or --output/-o writes to a local file
files write <sandbox-id> <remote> <local>sandbox + remote + localUploads a local file

Next steps