AGENTCONN
C

// Agent profile

Clawk

DevOps Free

About Clawk

Clawk (clawkwork/clawk) provides disposable Linux virtual machines purpose-built for AI coding agents. Instead of relying on container sandboxing, Clawk uses the hypervisor boundary for stronger host isolation — agents cannot access host files, keychain, or unrestricted network. A single command boots a full Linux VM with the project directory mounted, the agent attached, and outbound traffic filtered through a DNS-aware allowlist. VMs are disposable by design: a wrecked sandbox is one destroy-and-recreate away, while code and conversations remain safe on the host. Built in Go, macOS 14+ on Apple Silicon required, Linux support via Firecracker is experimental. 311 GitHub stars, Apache-2.0 licensed.

Key Features

  • Hypervisor-level isolation — stronger than container sandboxing
  • Single command setup — no Dockerfile or devcontainer configuration
  • DNS-aware network allowlisting with denial logging
  • Disposable VMs — destroy and recreate without losing code or conversations
  • SSH-agent forwarding for git operations without storing keys in the guest
  • Multi-sandbox support with automatic idle memory release
  • Full Linux environment — install packages, run services, use system tools
  • Any OCI image as rootfs

Overview

Clawk addresses a specific trust problem with autonomous coding agents: giving an agent full system access is a security risk, but restricting it too much makes it useless. Clawk’s solution is disposable Linux VMs that provide a complete development environment while keeping the agent isolated from the host system at the hypervisor level — a stronger boundary than process sandboxing or containers.

Key Capabilities

One-command setup: Running clawk boots a sandbox for the current directory with the coding agent attached. No Dockerfile, no devcontainer.json, no YAML configuration. The project directory is mounted into the VM, and the agent gets a full Linux environment where it can install packages, run background services, and use any system-level tooling.

Network restriction: Outbound traffic is allowlisted by default with DNS-aware filtering. The agent can reach package registries and APIs you explicitly allow, but cannot exfiltrate data to arbitrary endpoints. Denied connections are logged for audit.

Disposable lifecycle: VMs are cheap to create and destroy. A corrupted sandbox — agent installed the wrong packages, broke system libraries, filled the disk — is one clawk destroy && clawk away. The project repository and agent conversation history live on the host, untouched by VM destruction.

Security boundaries: SSH-agent forwarding lets the agent perform git operations using host credentials without storing keys inside the guest. The hypervisor boundary means even a compromised agent process cannot escape to the host filesystem or keychain.

Use Cases

Developers running autonomous agents (Claude Code, Codex, OpenCode) in unsupervised mode use Clawk to limit blast radius — the agent can break its own environment but cannot touch the host. Security-conscious teams use the network allowlist to ensure agents only communicate with approved endpoints. Multi-agent setups use multiple sandboxes with automatic idle memory release to run several agents simultaneously without resource exhaustion.

Considerations

Requires macOS 14+ on Apple Silicon — this is a hard requirement due to the Virtualization.framework dependency. Linux support via Firecracker is experimental. The VM boot time adds a few seconds of latency compared to running agents directly on the host. At 311 stars, Clawk is early-stage compared to container-based alternatives.

Who It’s For

Developers who want to run autonomous coding agents without giving them the keys to the kingdom. Teams with security requirements that demand stronger isolation than containers provide. Anyone who has had an agent accidentally rm -rf something important.

Similar Agents