exclusive NanoClaw, an open source agent platform, can now run inside Docker Sandboxes, furthering the project’s commitment to security.
NanoClaw, as we noted recently, followed from an effort to address the security holes opened by OpenClaw, which attracted widespread attention earlier this year as a way to empower AI models to roam about the web and operate applications on users’ behalf and without many constraints.
NanoClaw already runs inside of containers, which makes it safer than running agent software on a local machine. Through a partnership with Docker, users can now install NanoClaw into a Docker Sandbox, a kind of micro VM that is more secure than a container because it’s isolated from the host system. A container is an isolated process on a shared kernel; micro VMs have their own kernel.
“With Docker Sandboxes, that boundary is now two layers deep,” explained Gavriel Cohen, co-founder of NanoClaw, in a blog post provided to The Register ahead of publication. “Each agent runs in its own container (can’t see other agents’ data), and all containers run inside a micro VM (can’t touch your host machine). If a hallucination or a misbehaving agent can cause a security issue, the security model is broken. Security has to be enforced outside the agentic surface, not depend on the agent behaving correctly.”
Lazer and Gavriel Cohen, founders of NanoClaw – Click to enlarge
Docker Sandboxes are supported on macOS (Apple Silicon) and Windows (x86), with Linux support due in a few weeks.
Mark Cavage, COO of Docker, told The Register in an interview, “Docker Sandboxes are a new primitive that has the ergonomics of Docker and what I describe as the ethos of Docker. But it’s fundamentally a different primitive. It’s actually a micro VM and it actually has true isolation with its own dedicated kernel and its own dedicated hardware space.”
As a tagline to describe Sandboxes, he suggested “You can put YOLO in a box” – a reference to the risky “You only live once” setting (since renamed “auto-run”) available in the Cursor AI IDE to allow agents to perform a series of automated actions without seeking permission.
Cavage said the problem most people have with coding agents is they can generate all sorts of code, but developers must still click “Okay” over and over to use it. Developers, he said, frequently want to disable that protection and just go for it.
“But the problem is it can wipe out your file system and do very, very bad things,” he said.
Docker introduced Sandboxes last November to prevent possible problems. Cavage said after the launch of NanoClaw, Cohen got in touch and after some discussion integrated Sandboxes into the code base.
Cavage said that the essence of Docker is portability, isolation, and simplicity. But containers, he said, assume some degree of immutability.
“You start something and Kubernetes will restart anything that looks like it’s drifted, and security teams have scanners to flag writable root file systems and so on,” he said. “But agents fundamentally are different and they violate that primitive from day one. You launch the agent and the very first thing it wants to do is look at the environment, install new packages, write some files, spin up databases that are mocked. It just wants to do stuff.”
Docker Sandboxes, he said, are more of a true process jail that enforces isolation.
What Docker and NanoClaw are doing is trying to reconcile fundamentally opposed ideas – the deterministic nature of computers with the non-deterministic nature of AI models. Mixing systems predicated on predictability with unpredictable AI models, Cavage admits, is not a solved problem and is something that will occupy the industry for a while.
Docker is an AI-native company at this point. We use it in every facet of the business
“The reality is at least we have a reasonable bounding box as the foundational part of the stack and the very first thing that you need,” he said. “There’s clearly going to have to be a governance primitive and things that map in the middle of how the natural language system that has intelligence and wants to go off and do something can be bounded down to something that is ultimately deterministic from a capabilities perspective.”
Docker, said Cavage, is already sold on AI. “We use it. It’s an AI-native company at this point. We use it in every facet of the business.”
Docker, he said, is using its Sandbox primitive to cage AI agents but everyone still has to build layers on top of that to orchestrate workflows. The key to making this happen, he argues, is “put YOLO in a box.”
“Once you get there, then the developers all of a sudden go from effectively babysitting the agent to just letting it run for minutes or hours or longer at a time,” he said. “That’s the huge productivity unlock.” ®