[FEATURE] Add outbound network allowlist configuration for skills via environment variables #1507
Description
📋 Prerequisites
- I have searched the existing issues to avoid creating a duplicate
- By submitting this issue, you agree to follow our Code of Conduct
📝 Feature Summary
Add support for configurable outbound network access in skills by loading allow/deny domain lists from environment variables and generating an srt runtime settings file.
❓ Problem Statement / Motivation
Currently, the shell skill executes commands through the Anthropic
Sandbox Runtime (srt) but does not expose a way to configure outbound
network access.
Relevant implementation:
Because of this limitation:
- Skills cannot safely call external APIs
- Any outbound network access is implicitly restricted
- Developers cannot configure a controlled allowlist for domains
Real-world example
I created a skill that retrieves electricity prices in Spain:
https://github.com/felipevicens/spain-electricity-price-skill
This skill needs to query a public electricity price API. However,
requests fail due to the current network restrictions when running
inside the sandbox.
Who is affected
This affects developers building skills that require outbound access to:
- public APIs
- package registries
- observability services
- GitHub or other developer APIs
Without controlled network access, many practical skills cannot be
implemented.
Why this is needed
Many real-world skills require controlled outbound network access. Without a safe allowlist mechanism, developers must either:
- disable restrictions entirely (unsafe), or
- cannot implement useful API integrations.
A configurable allowlist provides a secure middle ground.
💡 Proposed Solution
Expose outbound network configuration through environment variables,
and have the shell skill generate a runtime srt settings file that
enforces the network policy.
The Anthropic Sandbox Runtime enforces network restrictions via the
network configuration in its settings file.
Example srt configuration:
{
"network": {
"allowedDomains": [
"api.esios.ree.es",
"*.api.esios.ree.es"
],
"deniedDomains": [
"malicious.com"
]
}
}The shell skill would dynamically generate this configuration from
environment variables.
Proposed environment variables
KAGENT_ALLOWED_DOMAINS
KAGENT_DENIED_DOMAINS
Example:
KAGENT_ALLOWED_DOMAINS=api.esios.ree.es,*.api.esios.ree.es
KAGENT_DENIED_DOMAINS=malicious.com
Expected behavior
- The shell skill reads network configuration from environment
variables. - It generates an
srtsettings file containing thenetwork
configuration. - The sandbox is launched with:
srt --settings <generated-settings.json> sh -c <command>srtenforces the network policy.
Example implementation concept
settings = {
"network": {
"allowedDomains": parse_env_list("KAGENT_ALLOWED_DOMAINS"),
"deniedDomains": parse_env_list("KAGENT_DENIED_DOMAINS")
}
}The settings file could be generated in a temporary path such as:
/tmp/kagent-srt-settings.jsonand reused across executions.
Security considerations
- Default behavior should remain secure by default (no outbound
access). - If no environment variables are provided, the sandbox should run
with the existing restricted configuration. deniedDomainsshould overrideallowedDomains.- Wildcard domains (e.g.
*.github.com) should be supported.
🔄 Alternatives Considered
No response
🎯 Affected Service(s)
Not Sure
📚 Additional Context
Relevant file that would need modification:
Anthropic Sandbox Runtime documentation:
https://github.com/anthropic-experimental/sandbox-runtime
Example real-world skill requiring outbound API access:
https://github.com/felipevicens/spain-electricity-price-skill
Adding this capability would allow developers to build production-ready
skills that integrate with external services while maintaining
controlled and secure network access.
🙋 Are you willing to contribute?
- I am willing to submit a PR for this feature
Metadata
Metadata
Assignees
Labels
Type
Projects
Status