The Clawk project argues that existing sandboxing approaches (Devcontainers, Codespaces, OS permission prompts) share a long-lived environment across sessions, which isn't granular enough when running multiple agents in parallel. Clawk's core bet is that each agent invocation should get its own disposable Linux VM, mounting only the target repo, so a rogue agent's blast radius is limited to an image about to be deleted anyway.
Argues that Claude Code's `--dangerously-skip-permissions` flag is doing heavy lifting in real workflows, Cursor's background containers still mount git credentials with network egress, and Codex's local mode is effectively just a shell. Since any useful agent must run package managers that execute arbitrary internet code, the industry has been under-admitting how weak these boundaries actually are.
A new Show HN entry, Clawk, hit the front page at 158 points with a deliberately narrow pitch: stop giving coding agents a shell on your laptop, and start giving each of them a throwaway Linux VM instead. The repo (`clawkwork/clawk`) frames the problem in one line — your terminal is not a sandbox, and neither is a Docker container you spun up while half-paying-attention.
The design is unglamorous on purpose. You launch an agent (Claude Code, Codex, Aider, whatever speaks a POSIX shell) inside a fresh VM, mount only the repo you want it to touch, and throw the VM away when the task is done. No shared `~/.ssh`. No shared `~/.aws`. No `node_modules` cache to poison. If the agent goes rogue and `rm -rf`s its home directory, the blast radius is a VM image you were going to delete in ninety seconds anyway.
The novel part isn't the isolation — it's treating the VM itself as the unit of task, one-per-agent-run, not one-per-developer. Existing options either share a long-lived dev container across sessions (Devcontainers, Codespaces) or lean on OS-level permission prompts (macOS TCC, Claude Code's own permission gates). Clawk's bet is that neither is granular enough once you're running three or four agents in parallel on the same repo.
The HN thread — and the broader mood on X this month — has been converging on an uncomfortable point: the sandbox story for coding agents is worse than we've been admitting. Claude Code's `--dangerously-skip-permissions` flag is doing extremely heavy lifting in real developer workflows. Cursor's background agents run in containers, but those containers have network egress and often have your git credentials mounted. Codex's local mode is, functionally, a shell.
Every one of these tools eventually hits the same wall: an agent that can't run `npm install` or `pip install -e .` or `cargo build` isn't useful, and every one of those commands can execute arbitrary code from the internet. Once you accept that the agent must run untrusted code, the only honest question is where that code runs — and "on the machine with my SSH keys" is not a good answer.
Commenters on the thread kept returning to prior art: Firecracker microVMs, gVisor, Kata Containers, and the growing crop of hosted sandboxes (E2B, Modal, Daytona, Coder). Clawk's contribution isn't inventing a new isolation primitive — it's the ergonomics of "per-task ephemeral VM" as a first-class concept for agent runners. Several commenters pointed out that this is roughly what Anthropic's own Computer Use demos do internally, and what OpenAI's Codex environment does under the hood; Clawk is the DIY version for people who don't want to hand their code to a hosted sandbox.
The more interesting community reaction was the split on threat model. One camp argued this is overkill for solo devs and that Docker plus a non-root user is fine. The stronger counter — which the thread eventually rallied around — is that the threat has already shifted from "malicious agent" to "tricked agent". Prompt injection via a README, a package's post-install script, or a scraped web page is now the realistic failure mode, and none of it requires the model to be adversarial. A tricked agent with your AWS credentials is functionally identical to a malicious one.
If you're running one agent, occasionally, on a repo you already trust — you probably don't need Clawk. A dev container, a non-root user, and a habit of reviewing diffs before you commit is a reasonable equilibrium.
If you're doing any of the following, though, the calculus flips:
- Running background agents in parallel (Cursor's background agents, Claude Code's `--continue` on multiple worktrees, or any "go fix these 12 issues overnight" workflow). Parallel agents multiply the attack surface and make it much harder to notice when one of them starts doing something weird. - Letting agents touch dependency graphs. `npm install`, `pnpm add`, `uv pip install`, `cargo add` — all execute untrusted code. An agent that pulls in a typosquatted package is a supply-chain incident in your `~/.aws/credentials`, not in a VM. - Working across client repos on the same machine. Cross-tenant leakage — an agent working on Client A's repo reading Client B's `.env` — is the boring, likely, career-ending version of the risk.
The practical move is to stop treating agent sandboxing as a checkbox on the model vendor and start treating it as part of your dev environment, the same way you treat CI isolation. You wouldn't run untrusted PR code directly on your laptop; running an agent that fetches and executes internet code is the same problem wearing a different hat.
Clawk itself is early — the repo is small, the docs are sparse, and it's clearly one person's weekend project rather than a hardened product. That's fine. The value right now is that it names the pattern crisply enough that you can go implement it with `firecracker`, `qemu`, or a hosted VM API in an afternoon if you don't want the dependency.
Expect the coding-agent vendors to converge on this. Anthropic, OpenAI, and Cursor all have obvious incentives to ship first-class ephemeral-VM execution — it's the only story that scales to "agents do real work unsupervised" without a security team writing a very long post-mortem. Until they do, tools like Clawk are doing the useful work of making the current sandbox story feel as thin as it actually is.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.