// Agent profile
Clawk (clawkwork/clawk) provides disposable Linux virtual machines purpose-built for AI coding agents. Instead of relying on container sandboxing, Clawk uses the hypervisor boundary for stronger host isolation — agents cannot access host files, keychain, or unrestricted network. A single command boots a full Linux VM with the project directory mounted, the agent attached, and outbound traffic filtered through a DNS-aware allowlist. VMs are disposable by design: a wrecked sandbox is one destroy-and-recreate away, while code and conversations remain safe on the host. Built in Go, macOS 14+ on Apple Silicon required, Linux support via Firecracker is experimental. 311 GitHub stars, Apache-2.0 licensed.
Clawk addresses a specific trust problem with autonomous coding agents: giving an agent full system access is a security risk, but restricting it too much makes it useless. Clawk’s solution is disposable Linux VMs that provide a complete development environment while keeping the agent isolated from the host system at the hypervisor level — a stronger boundary than process sandboxing or containers.
One-command setup: Running clawk boots a sandbox for the current directory with the coding agent attached. No Dockerfile, no devcontainer.json, no YAML configuration. The project directory is mounted into the VM, and the agent gets a full Linux environment where it can install packages, run background services, and use any system-level tooling.
Network restriction: Outbound traffic is allowlisted by default with DNS-aware filtering. The agent can reach package registries and APIs you explicitly allow, but cannot exfiltrate data to arbitrary endpoints. Denied connections are logged for audit.
Disposable lifecycle: VMs are cheap to create and destroy. A corrupted sandbox — agent installed the wrong packages, broke system libraries, filled the disk — is one clawk destroy && clawk away. The project repository and agent conversation history live on the host, untouched by VM destruction.
Security boundaries: SSH-agent forwarding lets the agent perform git operations using host credentials without storing keys inside the guest. The hypervisor boundary means even a compromised agent process cannot escape to the host filesystem or keychain.
Developers running autonomous agents (Claude Code, Codex, OpenCode) in unsupervised mode use Clawk to limit blast radius — the agent can break its own environment but cannot touch the host. Security-conscious teams use the network allowlist to ensure agents only communicate with approved endpoints. Multi-agent setups use multiple sandboxes with automatic idle memory release to run several agents simultaneously without resource exhaustion.
Requires macOS 14+ on Apple Silicon — this is a hard requirement due to the Virtualization.framework dependency. Linux support via Firecracker is experimental. The VM boot time adds a few seconds of latency compared to running agents directly on the host. At 311 stars, Clawk is early-stage compared to container-based alternatives.
Developers who want to run autonomous coding agents without giving them the keys to the kingdom. Teams with security requirements that demand stronger isolation than containers provide. Anyone who has had an agent accidentally rm -rf something important.
Local-first session intelligence and analytics platform for coding agents, supporting Claude Code, Codex, and 20+ other agents.
817 structured cybersecurity skills for AI agents mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF, and MITRE F3.
Tool-output sandboxing layer that cuts agent context spend 60-98% on multi-step coding loops by isolating intermediate command output.