Isol8 Skill
Isol8 is a secure execution engine for running untrusted code inside Docker containers with strict resource limits, network controls, and output sanitization. Use this skill when you need to execute code, scripts, or system commands in a safe, isolated environment.
For full documentation, see the isol8 docs. This file is a quick-reference for AI agents — it covers the most common operations and links to detailed docs for everything else.
Quick Reference
CLI Commands
| Command | Purpose | Full Docs |
|---|---|---|
isol8 run [file] | Execute code in an isolated container | CLI: run |
isol8 setup | Build Docker images, optionally bake in packages | CLI: setup |
isol8 cleanup | Remove orphaned isol8 containers (optionally images with --images) | CLI: cleanup |
isol8 serve | Start HTTP server for remote execution (downloads binary on first use) | CLI: serve |
isol8 config | Display resolved configuration | CLI: config |
Input Resolution (isol8 run)
--evalflag (inline code, defaults topythonruntime)- File argument (runtime auto-detected from extension, or forced with
--runtime) - Stdin (defaults to
pythonruntime)
Extension mapping: .py → python, .js/.mjs/.cjs → node, .ts → bun, .mts → deno, .sh → bash
Remote source input: use --url, --github, or --gist (requires remoteCode.enabled=true in config). Add --hash for SHA-256 verification.
Most-Used Flags (isol8 run)
| Flag | Default | Description |
|---|---|---|
-e, --eval <code> | — | Execute inline code |
-r, --runtime <name> | auto-detect | Force: python, node, bun, deno, bash |
--no-stream | false | Disable real-time output streaming |
--persistent | false | Keep container alive between runs |
--persist | false | Keep container after execution for debugging |
--debug | false | Enable internal debug logging |
--install <package> | — | Install package before execution (repeatable). If --net is omitted, CLI auto-uses filtered and allowlists default runtime registries |
--url <url> | — | Fetch source code from URL |
--github <owner/repo/ref/path> | — | GitHub shorthand for raw source |
--gist <gistId/file.ext> | — | Gist shorthand for raw source |
--hash <sha256> | — | Verify SHA-256 hash for fetched code |
--allow-insecure-code-url | false | Allow insecure http:// code URLs for this request |
--net <mode> | none | Network: none, host, filtered (explicit value is never overridden) |
--timeout <ms> | 30000 | Execution timeout |
--memory <limit> | 512m | Memory limit |
--secret <KEY=VALUE> | — | Secret env var, value masked in output (repeatable) |
--stdin <data> | — | Pipe data to stdin |
For the complete flag reference (20 flags total), see CLI: run.
CLI Examples
# Python inline
isol8 run -e "print('Hello!')" --runtime python
# Run a file (runtime auto-detected)
isol8 run script.py
# With package installation
isol8 run -e "import numpy; print(numpy.__version__)" --runtime python --install numpy
# Pipe via stdin
echo "console.log(42)" | isol8 run --runtime node
# Secrets (masked as *** in output)
isol8 run -e "import os; print(os.environ['KEY'])" --runtime python --secret KEY=sk-1234
# Remote execution
isol8 run script.py --host http://server:3000 --key my-api-key
# Cleanup orphaned containers
isol8 cleanup # Interactive (prompts for confirmation)
isol8 cleanup --force # Skip confirmation
isol8 cleanup --images --force # Also remove isol8 images
Library API (Quick Reference)
For full library documentation, see Library Overview.
DockerIsol8
import { DockerIsol8 } from "isol8";
const isol8 = new DockerIsol8({
mode: "ephemeral", // or "persistent"
network: "none", // or "host" or "filtered"
memoryLimit: "512m",
cpuLimit: 1.0,
timeoutMs: 30000,
secrets: {}, // values masked in output
persist: false, // keep container after execution for debugging
debug: false, // enable internal debug logging
});
await isol8.start();
const result = await isol8.execute({
codeUrl: "https://raw.githubusercontent.com/user/repo/main/script.py",
codeHash: "<sha256>",
runtime: "python",
installPackages: ["numpy"], // optional
});
console.log(result.stdout); // captured output
console.log(result.exitCode); // 0 = success
console.log(result.durationMs);
await isol8.stop();
Full options reference: Execution Options
RemoteIsol8
import { RemoteIsol8 } from "isol8";
const isol8 = new RemoteIsol8(
{ host: "http://localhost:3000", apiKey: "secret" },
{ network: "none" }
);
await isol8.start();
const result = await isol8.execute({ code: "print(1)", runtime: "python" });
await isol8.stop();
Streaming
for await (const event of isol8.executeStream({
code: 'for i in range(5): print(i)',
runtime: "python",
})) {
if (event.type === "stdout") process.stdout.write(event.data);
if (event.type === "exit") console.log("Exit code:", event.data);
}
Full streaming docs: Streaming
File I/O (Persistent Mode)
await isol8.putFile("/sandbox/data.csv", "col1,col2\n1,2");
const buf = await isol8.getFile("/sandbox/output.txt");
Full file I/O docs: File I/O
HTTP Server API
Full endpoint reference: Server Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
GET | /health | No | Health check |
POST | /execute | Yes | Execute code, return result |
POST | /execute/stream | Yes | Execute code, SSE stream |
POST | /file | Yes | Upload file (base64) |
GET | /file | Yes | Download file (base64) |
DELETE | /session/:id | Yes | Destroy persistent session |
POST | /cleanup | Yes | Trigger remote cleanup for sessions/containers (images optional) |
Configuration
Config is loaded from (first found): ./isol8.config.json or ~/.isol8/config.json. Partial configs are deep-merged with defaults.
Full configuration reference: Configuration
Security Defaults
| Layer | Default |
|---|---|
| Filesystem | Read-only root, /sandbox tmpfs 512MB (exec allowed), /tmp tmpfs 256MB (noexec) |
| User isolation | Non-root sandbox user (uid 100), processes killed between pool reuses |
| Processes | PID limit 64, no-new-privileges |
| Resources | 1 CPU, 512MB memory, 30s timeout |
| Network | Disabled (none), iptables enforcement in filtered mode |
| Output | Truncated at 1MB, secrets masked |
| Seccomp | strict default profile (blocks mount, swap, ptrace, etc.); standalone server binaries use embedded fallback when profile files are missing |
Container Filesystem:
/sandbox(512MB): Working directory, packages installed here, execution allowed for.sofiles/tmp(256MB): Temporary files, no execution allowed for security
Full security model: Security
Troubleshooting
- "Docker not running": Run
isol8 setupto check. - Timeouts: Increase
--timeout. Process is killed on timeout. - OOM Killed: Increase
--memory. - "No space left on device": Increase
--sandbox-size(default 512MB) or--tmp-size(default 256MB). - "Operation not permitted" with numpy/packages: Packages need
--sandbox-sizelarge enough for installation (512MB+ recommended). .tsfiles running with Bun instead of Deno:.tsdefaults to Bun. Use--runtime denoor.mtsextension.- Serve command failing: Ensure the server binary can be downloaded from GitHub Releases. Use
isol8 serve --updateto force a fresh download. Useisol8 serve --debugto see detailed server logs. For listen port selection, precedence is--port>ISOL8_PORT>PORT>3000; if the port is busy,servecan prompt for another port or auto-pick an available one. - Seccomp profile load failure: In
strict/custommode, execution fails if profile loading fails. Verifysecurity.customProfilePathfor custom mode.