Clawk: Disposable Linux VMs for AI Coding Agents

Clawk: Disposable Linux VMs for AI Coding Agents

Clawk is a tool designed to provide AI coding agents with their own disposable Linux virtual machines (VMs), removing the risk of running autonomous agents directly on a host laptop. By isolating the agent in a separate machine with its own kernel, Clawk ensures that the agent cannot access the host's filesystem, keychain, or sensitive system files unless explicitly shared.

Key Features and Capabilities

Clawk allows coding agents to operate with full autonomy—installing packages, running servers, and executing builds—within a contained environment.

Isolation and Security

  • Hypervisor-Level Boundary: Unlike process-level sandboxes, Clawk uses a separate Linux kernel. The host filesystem is not hidden via deny rules; it is simply not mounted.
  • Network Allow-listing: All outbound traffic is denied by default. Each sandbox has its own DNS-aware allow-list, ensuring the agent can only reach approved servers (e.g., GitHub, npm, PyPI).
  • Secret Protection: SSH keys and other sensitive credentials stay on the host. Clawk uses ssh-agent forwarding to allow the agent to perform git push operations without the actual keys ever entering the VM.
  • Disposable Lifecycle: If an agent compromises or wrecks the VM, it can be destroyed and recreated instantly using clawk destroy && clawk, while the project repository and agent conversation history remain intact on the host.

Workflow Integration

  • One-Command Setup: Running clawk inside a project directory boots a sandbox and attaches an agent (such as Claude Code or Codex) automatically.
  • OCI Image Support: Any OCI image can serve as the rootfs, allowing users to define the exact toolchain required for a project via a clawk.mod configuration file.
  • Ticket Mode: For tasks spanning multiple repositories, Clawk can create a single sandbox with a git worktree per repository, coordinating changes across multiple projects and opening cross-linked PRs.
  • State Persistence: Agent conversations and memory are host-mounted, meaning a recreated VM picks up exactly where the previous session left off when using the --resume flag.

Technical Architecture

Clawk operates by creating a per-sandbox daemon that manages the VM lifecycle and networking.

  • Hypervisor: On macOS, it leverages Apple's Virtualization.framework; on Linux, it uses firecracker (currently experimental).
  • Networking: The daemon implements a userspace TCP/IP stack (gvproxy). This allows the network filter to operate below the guest OS, meaning even a root user inside the VM cannot reconfigure the firewall.
  • Disk Management: OCI images are pulled and flattened into ext4 disks. To save space, Clawk uses copy-on-write clones (APFS clonefile on macOS), so multiple sandboxes from the same image only consume additional space for the guest's writes.
  • Access: There is no sshd or cloud-init inside the guest. Access is provided via a vsock bridge to an in-guest pty-agent.

Comparison with Other Sandboxing Methods

Method Isolation Level Setup Overhead Host Risk
Local Process None Low High
Containers/Devcontainers Shared Kernel Low Medium (Kernel bugs/socket mounts)
C-level Sandboxes Process-level Low Medium (Policy mistakes)
Clawk (VMs) Separate Kernel Medium Low

Community Insights and Alternatives

Discussion among developers highlights a growing trend toward "agentic" infrastructure. While some users suggest that separate OS users or Podman containers are sufficient for basic isolation, others emphasize that a full VM is necessary for workloads requiring native dependencies or nested virtualization (e.g., running Docker inside the sandbox).

Several alternative projects were mentioned in the community discussion, including:

  • yoloai: A similar sandbox approach supporting multiple backends (Docker, gVisor, Firecracker).
  • flar: A namespace-based approach that bubblewraps the agent for faster startup than a VM.
  • katsuobushi: A Nix-based sandbox leveraging microvm.nix for declarative configuration.
  • AgentCage: A tool offering a choice between containers and VMs with a MITM proxy for monitoring.

System Requirements and Limitations

  • Platform Support: Full support requires macOS 14+ on Apple silicon. Linux support via Firecracker is experimental.
  • Hardware Gating: Nested virtualization (running Docker/Kubernetes inside the VM) is an opt-in feature that requires specific hardware and guest kernel overrides.
  • Security Limits: Clawk does not protect against malicious code committed to the repository by the agent, nor does it protect against hypervisor escapes. Users are advised to review all agent-generated commits as they would a stranger's PR.

Sources