Catalog
cloudflare/sandbox-sdk

cloudflare

sandbox-sdk

Build sandboxed applications for secure code execution. Load when building AI code execution, code interpreters, CI/CD systems, interactive dev environments, or executing untrusted code. Covers Sandbox SDK lifecycle, commands, files, code interpreter, and preview URLs. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.

global
New~1.4k
v1.0Saved Jul 11, 2026

Cloudflare Sandbox SDK

Build secure, isolated code execution environments on Cloudflare Workers.

FIRST: Verify Installation

npm install @cloudflare/sandbox
docker info  # Must succeed - Docker required for local dev

Retrieval Sources

Your knowledge of the Sandbox SDK may be outdated. Prefer retrieval over pre-training for any Sandbox SDK task.

Resource URL
Docs https://developers.cloudflare.com/sandbox/
API Reference https://developers.cloudflare.com/sandbox/api/
Examples https://github.com/cloudflare/sandbox-sdk/tree/main/examples
Get Started https://developers.cloudflare.com/sandbox/get-started/

When implementing features, fetch the relevant doc page or example first.

Required Configuration

wrangler.jsonc (exact - do not modify structure):

{
  "containers": [{
    "class_name": "Sandbox",
    "image": "./Dockerfile",
    "instance_type": "lite",
    "max_instances": 1
  }],
  "durable_objects": {
    "bindings": [{ "class_name": "Sandbox", "name": "Sandbox" }]
  },
  "migrations": [{ "new_sqlite_classes": ["Sandbox"], "tag": "v1" }]
}

Worker entry - must re-export Sandbox class:

import { getSandbox } from '@cloudflare/sandbox';
export { Sandbox } from '@cloudflare/sandbox';  // Required export

Quick Reference

Task Method
Get sandbox getSandbox(env.Sandbox, 'user-123')
Run command await sandbox.exec('python script.py')
Run code (interpreter) await sandbox.runCode(code, { language: 'python' })
Write file await sandbox.writeFile('/workspace/app.py', content)
Read file await sandbox.readFile('/workspace/app.py')
Create directory await sandbox.mkdir('/workspace/src', { recursive: true })
List files await sandbox.listFiles('/workspace')
Expose port await sandbox.exposePort(8080)
Destroy await sandbox.destroy()

Core Patterns

Execute Commands

const sandbox = getSandbox(env.Sandbox, 'user-123');
const result = await sandbox.exec('python --version');
// result: { stdout, stderr, exitCode, success }

Use runCode() for executing LLM-generated code with rich outputs:

const ctx = await sandbox.createCodeContext({ language: 'python' });

await sandbox.runCode('import pandas as pd; data = [1,2,3]', { context: ctx });
const result = await sandbox.runCode('sum(data)', { context: ctx });
// result.results[0].text = "6"

Languages: python, javascript, typescript

State persists within context. Create explicit contexts for production.

File Operations

await sandbox.mkdir('/workspace/project', { recursive: true });
await sandbox.writeFile('/workspace/project/main.py', code);
const file = await sandbox.readFile('/workspace/project/main.py');
const files = await sandbox.listFiles('/workspace/project');

When to Use What

Need Use Why
Shell commands, scripts exec() Direct control, streaming
LLM-generated code runCode() Rich outputs, state persistence
Build/test pipelines exec() Exit codes, stderr capture
Data analysis runCode() Charts, tables, pandas

Extending the Dockerfile

Base image (docker.io/cloudflare/sandbox:0.7.0) includes Python 3.11, Node.js 20, and common tools.

Add dependencies by extending the Dockerfile:

FROM docker.io/cloudflare/sandbox:0.7.0

# Python packages
RUN pip install requests beautifulsoup4

# Node packages (global)
RUN npm install -g typescript

# System packages
RUN apt-get update && apt-get install -y ffmpeg && rm -rf /var/lib/apt/lists/*

EXPOSE 8080  # Required for local dev port exposure

Keep images lean - affects cold start time.

Preview URLs (Port Exposure)

Expose HTTP services running in sandboxes:

const { url } = await sandbox.exposePort(8080);
// Returns preview URL for the service

Production requirement: Preview URLs need a custom domain with wildcard DNS (*.yourdomain.com). The .workers.dev domain does not support preview URL subdomains.

See: https://developers.cloudflare.com/sandbox/guides/expose-services/

OpenAI Agents SDK Integration

The SDK provides helpers for OpenAI Agents at @cloudflare/sandbox/openai:

import { Shell, Editor } from '@cloudflare/sandbox/openai';

See examples/openai-agents for complete integration pattern.

Sandbox Lifecycle

  • getSandbox() returns immediately - container starts lazily on first operation
  • Containers sleep after 10 minutes of inactivity (configurable via sleepAfter)
  • Use destroy() to immediately free resources
  • Same sandboxId always returns same sandbox instance

Anti-Patterns

  • Don't use internal clients (CommandClient, FileClient) - use sandbox.* methods
  • Don't skip the Sandbox export - Worker won't deploy without export { Sandbox }
  • Don't hardcode sandbox IDs for multi-user - use user/session identifiers
  • Don't forget cleanup - call destroy() for temporary sandboxes

Detailed References

Files3
3 files · 15.8 KB

Select a file to preview

Grade adjusted by static analysis guardrails

AI scored this skill as grade A, but static analysis findings capped it to B:

  • Recursive deletion pattern (rm -rf) (max: B)

Overall Score

87/100

Grade

B

Good

Safety

85

Quality

92

Clarity

88

Completeness

82

Summary

This skill teaches how to build secure, isolated code execution environments using Cloudflare's Sandbox SDK. It covers sandbox lifecycle management, command execution, code interpretation, file operations, and port exposure for running services. The skill is designed to guide agents in implementing AI code executors, CI/CD systems, and interactive development environments on Cloudflare Workers.

Static Analysis Findings

1 finding

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Destructive Operation
SEC-001Recursive DeletionMax: B

Recursive deletion pattern (rm -rf)

SKILL.mdrm -rf

Detected Capabilities

Shell command execution (via exec)Code interpretation and execution (Python, JavaScript, TypeScript)File read/write operationsDirectory creation and listingPort exposure for web servicesSandbox resource management and cleanupDockerfile extension for custom dependenciesEnvironment variable configuration

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

sandbox code executionai code interpretercloudflare workers sandboxuntrusted code executionephemeral environmentsisolated code runner

Risk Signals

INFO

Recursive deletion pattern (rm -rf) in Dockerfile RUN command

SKILL.md, Extending the Dockerfile section
INFO

Execution of untrusted code within sandboxes

SKILL.md, Core Patterns and Code Interpreter sections
INFO

Port exposure to preview URLs

SKILL.md, Preview URLs section

Referenced Domains

External domains referenced in skill content, detected by static analysis.

developers.cloudflare.comgithub.comwww.apache.org

Use Cases

  • Build an AI code interpreter that safely executes user-generated Python or JavaScript code in isolated sandboxes
  • Create a secure CI/CD pipeline that runs build and test commands in ephemeral sandbox containers
  • Implement an interactive development environment or REPL for real-time code execution and debugging
  • Deploy a multi-user code execution service where each user/session gets its own isolated sandbox instance
  • Build agent integrations (OpenAI Agents, Claude, OpenCode) with shell access and code execution capabilities

Quality Notes

  • ✓ Excellent documentation structure with clear sections, quick reference tables, and anti-patterns guidance
  • ✓ Comprehensive API reference in supporting files with full method signatures and error handling patterns
  • ✓ Strong focus on retrieval from official Cloudflare docs to prevent outdated knowledge
  • ✓ Lifecycle and resource management clearly explained (lazy startup, auto-sleep, destroy patterns)
  • ✓ Well-documented trade-off guidance (when to use exec() vs runCode() for different workloads)
  • ✓ Anti-patterns section explicitly warns against dangerous practices (hardcoding IDs, skipping exports, missing cleanup)
  • ✓ Configuration examples provided for wrangler.jsonc and Worker entry points
  • ✓ Supporting references well-organized with example index and common patterns extracted from real usage
  • ✓ Uses precise language; no ambiguous instructions or guesswork required for implementation
  • ⚠ The `rm -rf` usage is appropriate (cleaning up apt cache in Docker) and is documented context for lean images
Model: claude-haiku-4-5-20251001Analyzed: Jul 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add cloudflare/sandbox-sdk to your library

Command Palette

Search for a command to run...