Agent Shell

The server you can hand your AI agent root on, and sleep.

A hardened Linux box you reach over SSH or right in the browser. Give borg, Claude, Codex or Gemini real root, let them apt install and build whatever they want, and watch it live. It is sandboxed so hard that even root inside cannot touch the host.

ssh + web terminal · gVisor sandbox · live stats · agents preinstalled

$ ssh [email protected]
agent@your-box:~$ sudo apt install -y ffmpeg
... installing, you are root ...
agent@your-box:~$ borg "add a webhook and run the tests"
borg reads, edits, runs, verifies...
# mem 512MB · cpu 0.5 · gVisor · egress capped

Root you can actually trust an agent with

Three things a raw VPS will never give you.

root

Real root, real apt

You are root. apt install anything, run services, compile whatever you want. It is a full Ubuntu box your agent controls, not a locked-down playground.

gvisor

Sandboxed so hard you can sleep

Every box runs under gVisor: a userspace kernel between the box and the host, so even root inside cannot reach the host kernel. The isolation class Google Cloud Run and Replit trust for untrusted code. Verified: box root is an unprivileged host user.

watch

Watch it live, always

Real-time graphs for memory, CPU, disk and network, a running-agents indicator and a top-processes view. See exactly what your agent is doing, the moment it does it.

Everything an agent needs, already in the box

Connect, point your agent at it, and go. Nothing to set up.

connect

SSH or browser, your call

Add your SSH key and connect from any terminal, or open the full web terminal in one click. No client to install, nothing to configure.

agents

Every agent preinstalled

borg, Claude Code, OpenAI Codex and Gemini CLI ship in the box, plus an MCP server so Claude can drive it over SSH. Bring your own API key and go.

qa

A QA and eval workbench

promptfoo, pytest, ruff, shellcheck, uv and git are ready out of the box. Ship code and grade LLMs from the same shell, be the QA lead your agents need.

monitor

Rich live monitoring

Memory in GB, CPU percent, disk usage, live network throughput, uptime, active sessions, running agents and the top processes, all streaming in real time.

persist

Your work persists, the box stays clean

Your /home survives every restart, the rest of the box is ephemeral and resets. Break it, wipe it, start clean. Your files never go anywhere.

fast

Yours in under a minute

Generate a box, copy the ssh line, set a password or drop in a key, wire Claude over MCP with one command. From zero to an agent working in seconds.

wire claude in one lineclaude mcp add xshellz -- ssh -p <port> agent@<host> xshellz-mcp
Live monitoring

See exactly what your agent is doing

Every box streams its vitals in real time: memory in GB against your limit, CPU percent, disk usage, live network throughput and disk I/O, uptime, active sessions, a running-agents chip and the top processes. When a box nears its ceiling or gets throttled, you see it instantly.

  • Memory, CPU, disk and process gauges with rolling sparklines
  • Live network in and out, so you catch a busy agent early
  • Running-agents indicator: borg, Claude, Codex or Gemini, live
  • Top processes and active SSH sessions at a glance
Memory0.34 / 0.50 GB
CPU22% of 0.5 vCPU
Disk /home180 / 300 MB
Processes14 / 256

2 agents running · up 3h 12m · net ↓1.2MB/s ↑40KB/s

Why it is safe when a $5 root VPS is not

Six layers, so an agent can do whatever it wants inside and nothing leaks out.

Fake root, real containment

Container root maps to an unprivileged host user (verified: uid 100000). If an agent breaks out, it lands nowhere.

Cannot be a weapon

A per-box egress bandwidth cap plus a host firewall block spam, floods, internal scans and cloud-metadata credential theft.

Cannot hurt neighbours

Hard memory, CPU, process and disk caps per box. A fork bomb or runaway agent hits its own ceiling and stops, nobody else notices.

Kernel-isolated by gVisor

A userspace kernel intercepts every syscall, so a kernel exploit inside the box never reaches the host. The guarantee a $5 VPS with root cannot give you.

Self-cleaning

The base filesystem is ephemeral and resets on restart. A poisoned box wipes itself; only your /home carries forward.

Watched

Live monitoring surfaces a busy or misbehaving box early, and abandoned boxes are garbage-collected so the fleet stays clean.

What each plan gets

Every tier is fully sandboxed and monitored. See pricing for live details.

PlanBoxesCPUMemoryDiskUptime
Free10.5 core512 MB0.3 GB30-day trial, then on-demand
Starter11 core1 GB10 GBalways-on
Pro22 cores2 GB25 GBalways-on
Max54 cores4 GB50 GBalways-on

From nothing to an agent working, in a minute

01

Create a box

One click in the app. Pick a name, drop in your SSH key or generate a password. It boots in seconds.

02

Connect

SSH from your terminal, or open the web terminal in the browser. You land as root in a full Linux box.

03

Hand it to your agent

Run borg in the box, or wire Claude over SSH with one MCP command. Then let it apt install, build, test and ship.

Bring your agent a box it can own.

Start free with one box, always-on for a trial, then on demand with your data kept. Upgrade for always-on, more memory, CPU, disk and boxes.

Questions

Is it safe to give an AI agent root on this?

Yes, that is the entire point. Every box runs under gVisor, a userspace kernel between the box and the host, so even root inside cannot reach the host kernel. Container root also maps to an unprivileged host user, and hard caps bound memory, CPU, processes, disk and network. A raw VPS with root gives you none of this.

Do I connect over SSH or in the browser?

Either. Add your SSH public key and connect from any terminal, or open the full web terminal in the app with one click. Both drop you into the same box as root, and you can set a password for password login too.

What is preinstalled?

The major AI coding agents (borg, Claude Code, OpenAI Codex, Gemini CLI) plus an MCP server so Claude can drive the box over SSH. It also ships a QA and eval workbench: promptfoo, pytest, ruff, shellcheck, uv and git. Bring your own API key.

How is this different from a $5 VPS with root?

A VPS hands you the host kernel and hopes for the best. Agent Shell is sandboxed with gVisor so an escape or kernel exploit cannot touch the host, it cannot be turned into a spam or DDoS weapon, it cannot starve its neighbours, and it cleans itself when the box resets. Plus every agent and QA tool is already installed.

Can I really apt install anything?

Yes. It is a full Ubuntu box and you are root, so apt, pip, npm, building from source and running services all work. The box is ephemeral, so if you break it, restart and it comes back clean, with your /home intact.

Does my work survive a restart?

Your /home volume persists across restarts and resumes. The rest of the box is ephemeral by design, so the base system resets while your files, repos and agent history stay put.

Is there a free tier?

Yes. You get a free box, always-on for a trial window, then it idle-stops and wakes on demand with your data preserved. Paid plans keep it always-on with more memory, CPU, disk and boxes.