At first glance, this feels like just an internal testing prompt at their company for some sort of sales pipeline. Feels more like an accident. None of the referenced files are actually in the repository. If the prompts had more of a "If the user mentions xyz, mention our product" that would absolutely give more credence that this is an advertising prompt, but none of that is here.

Oof

ExoAgent (from your bio/past comments) looks really interesting. Godspeed!

Yes please! I feel like we need filters for everything: file reading, network ingress egress, etc Starting with simpler filters and then moving up the semantic ones…

So basically WAF, but smarter :)

And how are you going to define what ocaps/flows are needed when agent behavior is not defined?

you have to reference Royal food tasting somehow. just saying

Maybe this is just me, but you'd think at some point it's not really a "sandbox" anymore.

good catch, it's naturally `ANTHROPIC_API_KEY`, but I could have been more specific.

Woah, that looks great. I’ve been looking for something like this. Neither thr readme or the security doc go into detail on the credential handling in the gateway. Is it using tokens to represent the secrets, or is the client just trusting that the connection will be authenticated? I’m trying to figure out how similar this is to something like Fly’s tokenizer proxy.

Kata containers are the right way to go about doing sandboxing on K8s. It is very underappreciated and, timing-wise, very good. With ec2 supporting nested virtualization, my guess is there is going to be wide adoption.

PS: Also, this is wild!

> What this does: apiKeyHelper tells Claude Code to run echo proxy-managed to get its API key. The sandbox’s network proxy intercepts outgoing API calls and swaps this sentinel value for your real Anthropic key, so the actual key never exists inside the sandbox.

You cannot execute (docker) containers securely within another container which also limits what you can do with any agent (DinD). A coding agent that generates a `Dockerfile` would surely benefit from starting a container with it. And generally speaking, as a another commenter explained, name-spacing does not give you the full host isolation that you are looking for when running truly untrusted code which is the reality when using agents.

I strongly believe that we will see MicroVMs becoming a staple tool in software development soon, as containers are never covered all the security threats nor have the abilities that you would expect from a "true" sandbox.

I wrote a blog post that goes a bit into detail [1].

Let's see whether Docker (the company) defines this tooling, but I'd say that they are on a good path. However in the end I'd expect it to be a standalone application and ecosystem, not tied to docker/moby being my container runtime.

[1] https://sourcediver.org/posts/260214_development_sandboxes/

Docker Sandboxes are microVMs.

Basically due to many reasons, ld_preload, various containers standards, open desktop, current init systems, widespread behavior from containers images from projects, LSM limitations etc…

It is impossible to maintain isolation within an agentic environment, specifically within a specific UID, so the only real option is to leverage the isolation of a VM.

I was going to release a PoC related to bwrap/containers etc… but realized even with disclosure it wasn’t going to be fixed.

Makes me feel bad, but namespaces were never a security feature, and the tooling has suffered from various parties making locally optimal decisions and no mediation through a third party to drive the ecosystem as a whole.

If you are going to implement isolation for agents, I highly suggest you consider micro VMs.

First thing I heard about it too, apparently docker has VMs now?

> Each agent runs inside a dedicated microVM with a version of your development environment and only your project workspace mounted in. Agents can install packages, modify configs, and run Docker. Your host stays untouched. - https://www.docker.com/products/docker-sandboxes/

I'd assume they were just "more secure containers" but seems like something else, that can in itself start it's own containers?

+1. It is confusing.

This is my take.

First: the audience is NOT software devs. Because as you've surely noticed if you are a software dev, you can do most of the things that OpenClaw can do; if it offers improvements, they seem very marginal. You know, "it makes web apps" I can do that; "it posts to Discord programmatically" I can code that; etc. Maybe an AI code buddy shaves a few minutes off but so what. It's hard to understand the hoopla if this is you.

However, if you're a small business owner of some kind, where "small business" is defined by headcount (not valuation - this can include VC's), it's been transformative.

For a person like that, adding a 10k/mo expense is a natural move. And, at that price point, an AI service for 2k/mo is more than competitive: it's a savings.

The other part is that I think a lot of people have gotten used to human-in-the-loop workflows, but there's a big step up if you can omit the person.

Combining this w/the observation above, there were a lot of small business owners who were probably stymied by this problem: they had a bunch of tasks across departments that were worth like $2k/mo to do but couldn't fill (not enough in salary, couldn't be local). AI fits naturally for that use case. For them, it's valuable.

I'm wondering the same thing. I keep seeing examples like "book your plane tickets" and "reschedule your meetings". I don't know who does these relatively high stakes things often enough to automate them.

I see the value for managing software projects, but the personal assistant stuff I don't get. Then again, I would never trust a model to send an email on my behalf, so I'm probably not the target audience.

Crazy isn't it? The first commit on nanoclaw is 2 weeks ago and it already got a front page blog post from docker.com and they shipped first class feature to host it. You don't get much more peak-hype than this.

the big labs talk about curing cancer - Altman, Hassabis, Musk

the little guys hype Claw

I don’t think SV is hyping Claw are they? Claw is all open source and indy. SV would much rather you use some YC service which does one thing Claw does, or use the LLM’s own dedicated 1P agent framework.

> What happened to curing cancer?

Because being a cancer is more, well, metastasizing.

Remember, that capitalism is growth at all costs, until the host is dead, aka cancer.

And, fake money until you can be money?

I recently started experimenting with agents and found this sandboxing tool for OpenCode useful https://github.com/glennvdv/opencode-dockerized