This article is remarkably light on the deal with docker, it's basically just mentioned in passing:
> Now, on Friday, Cohen announced a deal with Docker — the company that essentially invented the container technology NanoClaw is built on, and counts millions of developers and nearly 80,000 enterprise customers — to integrate Docker Sandboxes into NanoClaw.
So I am late to the party on this; I can ABSOLUTELY see what would fuel a 48 hr code binge. I would be LIVID if a package I downloaded did such a bulk pull from my Whatsapp, and even further enraged if I found a bulk of packages integrated that led me to believe security was never a single thought.
Future innovators, don't take security for granted; someone who cares will eat your lunch.
"The stronger boundary protects the machine while the agent is coding, testing and improvising. It does not protect the rest of the world from the permissions you have already granted. A better-isolated runtime will not stop the bot from spraying outbound messages, sending a stupid email, or otherwise turning your authority into a minor public nuisance."
That seems to be a tough question to answer. My first instinct was to say there isn't a meaningful difference since they're both using the same runtime (runc) and have an identical CLI. I hoped maybe the source code for this project would be helpful, but the installer script isn't in the repo, and when I download it to inspect, it's not consistent on its own name, links out to documentation that doesn't exist, and seems to be calling docker subcommands that don't exist, at least not in any version of docker I have.
It appears that docker now offers a "sandbox" subcommand specifically meant for fencing AI agents inside of micro VMs instead of containers at all: https://docs.docker.com/ai/sandboxes/. This is the page the installer script meant to link to but got wrong. If you type docker --help, this doesn't show up as an available subcommand but apparently it is. The documentation says you need Docker Desktop 4.58+, which the installer script is again wrong about, saying you need 4.40+, and it is only available on Mac and Windows, not Linux.
This does sound more or less the same as firecracker, but firecracker only runs on Linux, so I suppose it didn't meet this guy's requirement that he probably uses a Mac.
If anyone happens to be interested in sandboxing, a community of us are building https://nono.sh
For what it's worth, it's not just whipped up in claude, a lot of us have a long background in security - I originally created sigstore.dev and was a distinguished engineer at red hat where I built and contributed to a lot of open source security work.
Comes and check it out, any support is appreciated as there is a lot of noise around with all these projects going through weekly hype cycles.
It’s sad that it’s come to this, but your addendum with credentials and a non-slop declaration worked. Three years ago it would have seemed unnecessarily self-aggrandizing. Today I wouldn’t have clicked the link without it.
"In researching a hiccup with performance, he stumbled across a file where the OpenClaw agent had downloaded all of his WhatsApp messages and stored them in plain, unencrypted text on his computer. Not just the work-related messages it was given explicit access to, but all of them, his personal messages too."
Now the agent can do the same thing, but it's in a container and it's doing it with a Rust binary, so you know it's safe. /s
The only thing I am sad about: This would be extremely unlikely to happen in Europe (I built https://github.com/rcarmo/piclaw, and have had zero feels from anybody)
8 comments
[ 0.29 ms ] story [ 32.8 ms ] thread> Now, on Friday, Cohen announced a deal with Docker — the company that essentially invented the container technology NanoClaw is built on, and counts millions of developers and nearly 80,000 enterprise customers — to integrate Docker Sandboxes into NanoClaw.
Relevant link: https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes
Future innovators, don't take security for granted; someone who cares will eat your lunch.
from:
https://entropytown.com/articles/2026-03-12-openclaw-sandbox...
plus, any idea why not podman or firecracker?
It appears that docker now offers a "sandbox" subcommand specifically meant for fencing AI agents inside of micro VMs instead of containers at all: https://docs.docker.com/ai/sandboxes/. This is the page the installer script meant to link to but got wrong. If you type docker --help, this doesn't show up as an available subcommand but apparently it is. The documentation says you need Docker Desktop 4.58+, which the installer script is again wrong about, saying you need 4.40+, and it is only available on Mac and Windows, not Linux.
This does sound more or less the same as firecracker, but firecracker only runs on Linux, so I suppose it didn't meet this guy's requirement that he probably uses a Mac.
For what it's worth, it's not just whipped up in claude, a lot of us have a long background in security - I originally created sigstore.dev and was a distinguished engineer at red hat where I built and contributed to a lot of open source security work.
Comes and check it out, any support is appreciated as there is a lot of noise around with all these projects going through weekly hype cycles.
Now the agent can do the same thing, but it's in a container and it's doing it with a Rust binary, so you know it's safe. /s
Edit: It's not Rust.