Bashkit — awesomely fast virtual bash sandbox in Rust
Virtual bash for AI agents
Bashkit runs untrusted shell scripts from AI agents without spawning a single OS process. 164 reimplemented commands, substantial POSIX shell language coverage, a virtual filesystem, resource limits, and tool interfaces for agent frameworks — all in-memory, all sandboxed.
Quick starts Agents Rust Python TypeScript
Install the crate.
cargo add bashkitRuntime surface
Browse the builtins that make the sandbox usable.
Text processing, files, archives, network, Python, TypeScript, and shell control all live in-process.
grepsedawkjqcurlfindxargstargitsshpythontypescript
See all 164 builtinsAgent development
Start with the skill, then embed the runtime.
The Bashkit skill gives coding agents the right local context: sandbox model, package APIs, builtins, examples, and agent-tool patterns. Install it first, then add Bashkit to the host project.
Install the skill
Give your coding agent Bashkit-specific usage notes and examples.
npx skills add everruns/bashkitAsk agent to add it
Prompt your coding agent to wire Bashkit into the host project.
Using bashkit, add support for a bash toolEnjoy :)
Use the new bash tool in your agent workflow.
Product surface
What bashkit gives you
A single runtime you can embed in agents, CLIs, editors, and evaluation harnesses. No sidecar process, no container overhead, no external dependencies at runtime.
POSIX-compliant interpreter
Substantial IEEE 1003.1-2024 Shell Command Language coverage, plus bash extensions: arrays, [[ ]], brace expansion, extended globs, coprocesses, traps.
164 reimplemented commands
grep, sed, awk, jq, curl, tar, find, xargs, and 150+ more — pure Rust, no shelling out.
LLM tool contract
BashTool with discovery metadata, streaming output, and system prompts. Plug into any agent framework.
Interactive shell
Run bashkit with no args for a local REPL with line editing and multiline input.
Snapshotting
Serialize shell state and VFS contents to bytes. Checkpoint any workload, resume anywhere.
Scripted tool orchestration
Compose ToolDef + callback pairs into a ScriptedTool driven by a bash script.
Quick start
Three languages, one runtime
Start with the core Rust crate, or drop the same runtime into Python and TypeScript when you need it inside an existing stack.
use bashkit::Bash;
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let mut bash = Bash::new();
let out = bash.exec("echo hello world").await?;
println!("{}", out.stdout);
Ok(())
}from bashkit import Bash
bash = Bash()
result = bash.execute_sync("echo 'Hello, World!'")
print(result.stdout)
bash.execute_sync("export APP_ENV=dev")
print(bash.execute_sync("echo $APP_ENV").stdout)import { Bash } from "@everruns/bashkit";
const bash = new Bash();
const result = bash.executeSync('echo "Hello, World!"');
console.log(result.stdout);
bash.executeSync("X=42");
console.log(bash.executeSync("echo $X").stdout);use bashkit::Bash;
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let mut bash = Bash::new();
bash.exec("mkdir -p /tmp/data").await?;
bash.exec("echo 'hello' > /tmp/data/out.txt").await?;
let r = bash.exec("cat /tmp/data/out.txt | tr a-z A-Z").await?;
print!("{}", r.stdout); // HELLO
Ok(())
}Security
Hostile input is the default assumption
Defense in depth across every layer — process, filesystem, network, parser, and runtime. See the full threat model for 250+ mitigations.
No process spawning
164 commands reimplemented in Rust — no fork, exec, or shell escape.
Virtual filesystem
Scripts see an in-memory FS by default. No host access unless mounted.
Network allowlist
HTTP is denied by default. Each domain must be explicitly allowed.
Resource limits
Caps on commands (10K), loops (100K), function depth, output (10MB), input (10MB).
Parser limits
Timeout, fuel budget, AST depth — pathological input can't hang the interpreter.
Panic recovery
Every builtin is wrapped in catch_unwind. A panic in one command can't crash the host.
LLM evals
How well do LLMs use bashkit?
Bashkit ships with a 58-task LLM eval harness across 15 agentic categories. Results below are from the 2026-02-28 run:
| Model | Score | Tasks passed |
|---|---|---|
| Claude Haiku 4.5 | 97% | 54/58 |
| Claude Sonnet 4.6 | 93% | 48/58 |
| Claude Opus 4.6 | 91% | 50/58 |
| GPT-5.3-Codex | 91% | 51/58 |
| GPT-5.2 | 77% | 41/58 |
Open source
Pick a path and go deeper.
The crate is MIT-licensed. These are the links that actually help you evaluate, integrate, and operate it.
Rust API
Core crate docs, builder options, limits, and shell semantics.
Python docsPython
PyO3 package docs for direct Bash usage, snapshots, and builtins.
TS docsTypeScript
Node, Bun, and Deno runtime docs for the NAPI bindings.
Security specThreat model
268 documented threat cases across parser, VFS, network, and runtimes.
BenchesBenches history
Interactive trends across benchmarks, criterion benches, and evals.
CLI docsCLI reference
One-shot commands, script execution, and interactive shell usage.
Browse examplesExamples
Reference programs for Rust, Python, JavaScript, and tool flows.