经 AI Skill Hub 精选评估,AI工作流沙盒 获评「推荐使用」。这款Agent工作流在功能完整性、社区活跃度和易用性方面表现出色,AI 评分 7.5 分,适合有一定技术背景的用户使用。
📚 深度解析
AI工作流沙盒 工作流的设计遵循"最小配置,最大复用"原则:核心逻辑已经封装好,用户只需配置自己的 API Key 和业务参数即可快速上手。工作流内置错误处理和重试机制,在网络波动或 API 限速等情况下仍能稳定运行,适合作为生产环境的自动化基础设施。
在实际部署时,建议先在测试环境中运行 3-5 次,验证各个环节的输出结果符合预期,再部署到生产环境。AI Skill Hub 评分 7.5 分,是同类 Agent 工作流中的精选推荐。
📋 工具概览
AI工作流沙盒 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。
📖 中文文档
AI工作流沙盒 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。
- 可视化 Agent 工作流编排,无需编写复杂代码
- 支持多步骤自动化任务链,实现全流程无人值守
- 与外部 API、数据库和第三方服务无缝集成
- 内置错误处理与自动重试机制,保障稳定运行
- 提供可复用的自动化模板,快速在同类场景部署
- 自动化日常重复性工作,将精力集中于创造性任务
- 构建数据采集 → 处理 → 输出的完整自动化管线
- 实现跨平台、跨系统的数据流转和业务协同
# 方式一:go install(推荐) go install github.com/colony-2/shai@latest # 方式二:从源码编译 git clone https://github.com/colony-2/shai cd shai go build -o shai . # 方式三:下载预编译二进制 # 访问 Releases 页面下载对应平台二进制文件 # https://github.com/colony-2/shai/releases
- 访问 GitHub 仓库获取工作流文件
- 在对应平台(Dify / Flowise / Make 等)中找到「导入工作流」功能
- 上传工作流文件
- 按照提示配置必要的环境变量和 API Key
- 运行测试确认流程正常后投入使用
# 查看帮助 shai --help # 基本运行 shai [options] <input> # 详细使用说明请查阅文档 # https://github.com/colony-2/shai
# shai 配置说明 # 查看配置选项 shai --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export SHAI_CONFIG="/path/to/config.yml"
shai - a sandboxing shell for ai coding agents
Shai (pronounced "shy") is a sandboxing tool for running CLI-based AI agents inside containers. At it's core, running shai will place your terminal inside a container mounted at the current path. This container mounts a read-only copy of your current path at /src as a non-root user and restricts network access to a select list of http and https destinations. All other network traffic is blocked. This is the perfect sandbox for running CLI agents like Codex, Claude Code, Gemini CLI, Cline, OpenHands, etc.
Security Features
- Config file protection: When the workspace root (
.) is mounted as read-write, Shai automatically remounts.shai/config.yamlas read-only to prevent unintended sandbox escapes through config modification. - iptables logging: Network firewall rules are logged to
/var/log/shai/iptables.outafter setup, allowing non-root users to inspect the active network restrictions. - Container isolation: Containers run as auto-remove ephemeral instances with network filtering, limited capabilities, and read-only workspace mounts by default.
Requirements
A compatible Docker image must include: - supervisord – Process supervisor for managing background services - dnsmasq – DNS server for domain filtering - iptables – Firewall for network egress control - tinyproxy – HTTP/HTTPS proxy for allow-listed traffic - Core utilities – bash, coreutils, iproute2, iputils-ping, jq, net-tools, passwd, procps, sed, util-linux
Docker Images
Shai can work with any Docker image that follows Linux standards and has the required system utilities installed. The bootstrap process automatically starts supervisord and loads any additional service configurations defined in /etc/supervisor/conf.d/*.conf, making it easy to extend containers with custom background services.
Quick Start
1. Install shai: 2.
npm install -g @colony2/shai
or
brew install --cask colony-2/tap/shai
# minimal invocation – read-only workspace sandbox
shai
# mark specific directories as writable
shai -rw app/component1
# run a command after bootstrap
shai -rw app/component1 -- codex --dangerously-bypass-approvals-and-sandbox
# inspect generated bootstrap script and resource decisions
shai -rw app/component1 src --verbose
# override the Docker image explicitly
shai -rw app/component1 --image ghcr.io/example/dev:latest
# force a specific image platform
shai -rw app/component1 --platform linux/amd64
Example
```yaml
`.shai/config.yaml` Reference
Generating a default config
You can generate a default config file (optional):
shai generate.shai/config.yaml with sensible defaults. You can also rely on the embedded default config if no custom configuration is needed.
Shai automatically loads <workspace>/.shai/config.yaml unless --config overrides it. Missing configs fall back to the embedded default config, which primarily enables a permissive HTTP allow-list and open-source registries.
.shai/config.yaml
type: shai-sandbox version: 1 image: ghcr.io/colony-2/shai-mega
Optional: set when you need a non-default image platform
platform: linux/amd64
user and workspace are optional - defaults are user: shai, workspace: /src
resources: base-allowlist: http: [openai.com, api.openai.com] agent-dev: vars: - source: OPENAI_API_KEY mounts: - source: ${{ env.HOME }}/.cache/agents target: /home/${{ conf.TARGET_USER }}/.cache/agents mode: rw calls: - name: refresh-plan description: Refresh cached plans on the host command: ${{ env.REPO_ROOT }}/scripts/refresh-plan.sh ports: - host: github.com port: 22 apply: - path: ./ resources: [base-allowlist] - path: agents resources: [agent-dev] ```
Embedding the Go API
Advanced users can embed Shai inside Go binaries using pkg/shai:
import (
"context"
shai "github.com/colony-2/shai/pkg/shai"
)
func runAgent(ctx context.Context, repoRoot string) error {
cfg, err := shai.LoadSandboxConfig(repoRoot,
shai.WithReadWritePaths([]string{"agents/cache"}),
shai.WithResourceSets([]string{"gpu"}),
shai.WithPlatformOverride("linux/amd64"),
shai.WithTemplateVars(map[string]string{"BRANCH": "main"}),
)
if err != nil {
return err
}
cfg.PostSetupExec = &shai.SandboxExec{
Command: []string{"python", "-m", "agent"},
Workdir: "/src/agents",
UseTTY: false,
}
sandbox, err := shai.NewSandbox(cfg)
if err != nil {
return err
}
defer sandbox.Close()
return sandbox.Run(ctx)
}SandboxConfig – Describes the workspace, config path, read/write overlays, selected resource sets, template variables, optional exec command, log writers, verbosity, graceful stop timeout, and image/platform overrides. - SandboxExec – Encapsulates the post-setup command (Command, env map, Workdir, UseTTY). - Sandbox – Interface with Run, Start, and Close. Start returns a SandboxSession with ContainerID, Wait, Stop, and Close helpers for supervising long-running jobs.
Use the Go API when you need to orchestrate multiple sandboxes, integrate with supervisors, or reuse Shai as the execution backend inside unit/integration tests.
高质量的AI工作流项目
- 需要 shai 解决具体问题的开发者与运营人员
- 先在测试环境跑通最小用例,再接入生产数据
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- 云端托管:可放在 Vercel / Railway / Fly.io 等 PaaS 平台
⚡ 核心功能
- 可视化 Agent 工作流编排,无需编写复杂代码
- 支持多步骤自动化任务链,实现全流程无人值守
- 与外部 API、数据库和第三方服务无缝集成
- 内置错误处理与自动重试机制,保障稳定运行
- 提供可复用的自动化模板,快速在同类场景部署
- 需要 shai 解决具体问题的开发者与运营人员
- 先在测试环境跑通最小用例,再接入生产数据
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
👥 适合人群
🎯 使用场景
- 自动化日常重复性工作,将精力集中于创造性任务
- 构建数据采集 → 处理 → 输出的完整自动化管线
- 实现跨平台、跨系统的数据流转和业务协同
⚖️ 优点与不足
- +MIT 协议,可免费商用
- +大幅减少重复性人工操作
- +可视化流程,清晰直观
- +可扩展性强,支持复杂场景
- −初始配置和调试需投入一定时间
- −强依赖外部服务的稳定性
- −复杂场景需具备一定技术基础
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ MIT 协议 — 最宽松的开源协议之一,可自由商用、修改、分发,仅需保留版权声明。
🔗 相关工具推荐
❓ 常见问题 FAQ
AI Skill Hub 点评:AI工作流沙盒 的核心功能完整,质量良好。对于自动化工程师和运维人员来说,这是一个值得纳入个人工具库的选择。建议先在非生产环境试用,再逐步推广。
| 原始名称 | shai |
| 原始描述 | 开源AI工作流:sandboxing shell for ai coding agents。⭐40 · Go |
| Topics | AI工作流Go |
| GitHub | https://github.com/colony-2/shai |
| License | MIT |
| 语言 | Go |
收录时间:2026-06-01 · 更新时间:2026-06-02 · License:MIT · AI Skill Hub 不对第三方内容的准确性作法律背书。