Experimental — Hotcell is under active development and should not be used in production.

Run untrusted code in hardened VMs.

Hotcell runs code inside tiny virtual machines. Each execution gets its own kernel, its own memory, its own process tree. The code cannot see or touch the host because it is running on separate virtual hardware.

View on GitHub Read Docs
terminal — hotcell cli 
$ hotcell run python:3.12-slim -- python3 -c "
    import json, hashlib
    data = open('/etc/os-release').read()
    digest = hashlib.sha256(data.encode()).hexdigest()[:12]
    print(f'hashed os-release: {digest}')
    with open('/hotcell/result.json', 'w') as f:
        json.dump({'digest': digest, 'ok': True}, f)
"
hashed os-release: 7a3b9e1f04c2

$ cat result.json
{"digest": "7a3b9e1f04c2", "ok": true}
ok
EXIT: 0
security

Code can't escape.

Every execution runs in its own VM with a dedicated kernel, memory, and process tree. If someone breaks out of the VM, they land in a jailed process with no capabilities and a syscall filter that kills on violation.

22 hardening layers across two isolation boundaries. Kernel sandboxing, filesystem access control, resource limits, network egress filtering, and capability dropping. Full security model →

Libkrun
Firecracker
Cloud Hypervisor
Hypervisor.framework
KVM
inventory_2

OCI Image Support

No special image format. Pull any Docker/OCI image, run it in a VM.

stream

Real-Time Streaming

Stream console output in real-time via SSE or WebSocket. Output streams as the VM runs.

swap_horiz

Pluggable Backends

Choose your VMM per-request. libkrun for development and macOS. Firecracker for production Linux with stronger isolation. Cloud Hypervisor as an alternative Linux backend. Same API, same results, regardless of backend.

devices

Dual-Platform

macOS (Apple Silicon via Hypervisor.framework) and Linux (x86_64/aarch64 via KVM). Native hypervisors for zero-overhead performance.

<200ms VM Boot
3 VMM Backends
277+ Tests
37 Adversarial Tests

Who it's for

Anywhere untrusted code meets your infrastructure.

smart_toy

AI & agent developers

Let your agent run code without risking your infrastructure. Ephemeral VMs execute code and return structured JSON results. Persistent VMs run long-lived services with automatic port forwarding. Network access is off by default.

Ephemeral + persistent / structured I/O / network-isolated by default

code_blocks

Platform builders

Add sandboxed execution to your product. Run one-off commands or long-lived services inside VMs. One Rust dependency, no Docker daemon, no sidecar. Pull any OCI image and run it with a single function call.

FaaS / code evaluation / CI runners / sandboxed services

shield_locked

Security teams

Open-source, auditable isolation. Every syscall in the allowlist is documented. Every hardening layer is in the code, not behind a vendor's wall. Stronger than containers, simpler than managing your own Firecracker fleet.

MIT licensed / 22 hardening layers / seccomp in Kill mode

Stronger isolation than gVisor. Simpler than Kata Containers. Open-source alternative to E2B, Modal, and SlicerVM. Works with your existing Docker images.

Ready to try Hotcell?

Open-source, MIT-licensed. Use the CLI, embed the Rust library, or run the HTTP server. Works on macOS and Linux with any Docker image.

View on GitHub Read Docs