Skip to main content
Sandbox settings are owned by the LangBot main process; Box Runtime performs the actual execution. For most deployments, you only need to choose a backend, set the workspace directory, and pick a security profile.
All box.* settings on this page live in data/config.yaml. See System Environment Settings for the file’s location and how it’s loaded.
  • enabled: master switch. When false, all Box-dependent features are disabled (sandbox tools, skill add/edit, stdio MCP hosting).
  • backend: see “Backend Selection” below.
  • local.profile: security profile — controls network, mounts, and resource limits.
  • local.host_root: host workspace directory, mapped to /workspace inside the sandbox.
  • local.skills_root: skill package directory; relative paths resolve under host_root (defaults to host_root/skills).
  • docker.cpu_limit_enabled: whether Docker sandbox containers get a CPU limit; set to false to omit docker run --cpus while keeping memory and PID limits.
Skills are loaded only from the Box-managed skill store. When Box Runtime or the backend is unavailable, the skill list is empty and create/edit/register_skill are disabled — there’s no fallback to data/skills/.

Backend Selection

The sandbox can run on local containers or in the cloud. box.backend picks which: local is shorthand for “auto-pick”, not a fourth backend sitting next to docker/nsjail. The local backends (local/docker/nsjail) share the box.local.* config section; the cloud backend uses box.e2b.*.
backend is a hard selection. Setting docker and finding Docker unavailable does not fall back to Nsjail or E2B — only local auto-fans-out.BOX__BACKEND environment variable overrides box.backend (highest priority).

Security Profiles

box.local.profile controls network, mounts, and resource limits for local backends: Prefer least privilege: skip the network unless you need it (default / offline_readonly); only add necessary directories to allowed_mount_roots.

Local Backend Configuration (box.local.*)

The local backends (local / docker / nsjail) share these settings:

Box Sandbox Memory Configuration

box.default_memory_mb sets the nsjail cgroup memory cap for every stdio-mode MCP server process. Can be set in config.yaml or via the BOX__DEFAULT_MEMORY_MB environment variable. When to adjust:
  • Node.js MCP servers (launched via npx/bunx): V8 + WebAssembly module initialisation needs significant memory; keep at ≥ 1536 MB
  • Python MCP servers (launched via uvx): 512 MB is usually enough, but the default is fine too
  • When memory is exhausted, the process is forcibly killed (return_code=137), logged as “Box managed process exited unexpectedly”
Per-server override: Set box.memory_mb in the individual MCP server config to override the global default.

Docker Backend Configuration (box.docker.*)

Cloud Backend Configuration (box.e2b.*)

Configure after setting backend: 'e2b': E2B doesn’t need Docker or Nsjail on the host — every execution goes through the remote sandbox.

Docker Compose Deployment

In Docker Compose, sandbox settings live on the langbot service. LangBot forwards them to langbot_box via INIT RPC at startup.
langbot_box needs the Docker daemon. Only mount docker.sock in trusted environments, and keep the Box root path identical on the host and inside the langbot_box container.
To point LangBot at an externally-managed Box Runtime (e.g. a remote host), use box.runtime.endpoint:

Environment Variables

Don’t set BOX__* or LANGBOT_BOX_* on the langbot_box service — Box Runtime doesn’t read them directly. Its configuration arrives over INIT RPC from LangBot.