Matchlock: Linux-based sandboxing for AI agents(github.com)
47 pointsby jingkai_he5 hours ago5 comments
  • raphinou12 minutes ago
    I've been happily using a container to run my agents [1]. I tried to make it evolve with more advanced features, but it quickly became harder to use and I went back to a basic container which I just start with a run.sh script. Is a similar simple use possible with matchlock?

    1:https://github.com/asfaload/agents_container

  • pjio38 minutes ago
    If I'm already on Linux, how does it compare to using bubblewrap?
    • jingkai_he8 minutes ago
      Creator here. A few key differences:

      1. from isolation pov, Matchlock launch Firecracker microvm with its own kernel, so you get hardware-level isolation rather than bubblewrap's seccomp/namespace approach, therefore a sandbox escape would require a VM breakout.

      2. Matchlock intercepts and controls all network traffic by default, with deny-all networking and domain allowlisting. Bubblewrap doesn't provide this, which is how exfiltration attacks like the one recently demonstrated against Claude co-work (https://www.promptarmor.com/resources/claude-cowork-exfiltra...).

      3. You can use any Docker/OCI image and even build one, so the dev experience is seamless if you are using docker-container-ish dev workflow.

      4. The sandboxes are programmable, as Matchlock exposes a JSON-RPC-based SDK (Go and Python) for launching and controlling VMs programmatically, which gives you finer-grained control for more complex use cases.

  • athrowaway3zan hour ago
    Have I told you about our lord and savior: `useradd`
  • __alexs2 hours ago
    Why would secrets ever need to be available to the agent directly rather than hidden inside the tool calling framework?
    • jingkai_hean hour ago
      Creator of Matchlock here. Mostly for performance and usability. For interacting with external APIs like GCP or GitHub that generally have huge surface area, it's much more token-efficient and easier to set up if you just give the agent gcloud and gh CLI tools and the secrets to use them (in our case fake ones), compared to wiring up a full-blown MCP server. Plus, agents tend to perform better with CLI tools since they've been heavily RL'd on them.
      • bjt12345an hour ago
        Token efficiency is a good argument actually.
    • rfooan hour ago
      Sometimes people are too lazy to write their own agent loop and decided to run off-the-shelf coding agent (e.g. Claude Code, or Pi in case of clawdbot) in environment.
    • 2 hours ago
      undefined
    • _pdp_an hour ago
      Exactly.
  • ushakovan hour ago
    very cool, if you want cross-platform microvms, there's an interesting project called libkrun that powers projects like Podman and Colima.

    here's a Go binding: https://github.com/mishushakov/libkrun-go

    demo (on Mac): https://x.com/mishushakov/status/2020236380572643720