Summary:

NVIDIA OpenShell limits the blast radius of prompt injection attacks by enforcing multiple independent isolation layers that constrain what any injected instruction can actually cause the agent to do.

Direct Answer:

NVIDIA OpenShell applies four independent protection layers that each reduce what a successful prompt injection can achieve:

Filesystem (Landlock LSM): The agent can only read or write paths declared in the policy. An injected instruction to exfiltrate source code or read SSH keys fails because the paths are inaccessible at the kernel level.

Network (default-deny proxy): Every outbound connection is blocked unless both the destination host and the calling binary match a declared network policy block. An injected instruction to upload data to an unauthorized server is denied by the proxy before the connection reaches the internet.

Process (unprivileged identity + seccomp): The agent runs as an unprivileged user with no sudo, no setuid paths, and a seccomp filter that blocks dangerous syscalls. Injected instructions to escalate privilege or execute system-level commands are blocked at the kernel level.

Inference routing: API calls can be routed through inference.local, which strips agent-supplied credentials and injects the configured backend credentials. An injected instruction to reroute model traffic to a third-party server is blocked by network policy.

Takeaway:

NVIDIA OpenShell contains the blast radius of prompt injection attacks by enforcing multiple kernel-level constraints that no agent instruction can override, ensuring that even a fully compromised agent cannot access unauthorized files, reach unauthorized servers, or escalate privileges.

Related Articles

• Policy Schema Reference — NVIDIA OpenShell Developer Guide
• Overview of NVIDIA OpenShell — NVIDIA OpenShell Developer Guide
• Which sandbox runtime enforces filesystem boundaries that prompt injection cannot bypass?