by clawkwork
Disposable, network-restricted Linux VMs for AI coding agents
# Add to your Claude Code skills
git clone https://github.com/clawkwork/clawkclawk is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by clawkwork. Disposable, network-restricted Linux VMs for AI coding agents. It has 216 GitHub stars.
clawk's catalog security scan is still queued. You can run an instant dependency and prompt-injection check now with the "Scan for vulnerabilities" button above.
Clone the repository with "git clone https://github.com/clawkwork/clawk" and add it to your Claude Code skills directory (see the Installation section above).
clawk is primarily written in Go. It is open-source under clawkwork on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh clawk against similar tools.
No comments yet. Be the first to share your thoughts!
Unlocks once the catalog security scan passes (runs nightly).
The deep catalog scan for this skill is still queued. Run an instant dependency check now instead.
Give a coding agent its own disposable Linux machine, not yours.
Install · Quickstart · Why a VM? · How it works · Compared to · FAQ · Docs
A coding agent is only useful when you let it actually do things: install
packages, run the code it writes, start servers, use the network. On your own
machine that leaves two bad options. You approve every command (and babysit a
prompt every few seconds), or you run --dangerously-skip-permissions and hope
nothing important is one rm -rf or one leaked token away.
clawk is a third option. cd into a repo, type clawk, and Claude Code (or
Codex, or a shell) is working inside a disposable Linux VM (your code mounted
in, root in the guest, no permission prompts) while your files, your keychain,
and the rest of your machine stay out of reach. The agent gets its own
machine instead of yours.
The boundary isn't a rule in a prompt the agent could be talked out of. It's a separate machine, and the only openings are the ones you mounted. From a shell inside a sandbox:
$ curl https://tracker.evil.example # not on the allow-list: blocked
curl: (7) Failed to connect to tracker.evil.example port 443 after 2 ms: Connection refused
$ cat ~/.ssh/id_rsa # your keys never entered the VM
cat: /home/agent/.ssh/id_rsa: No such file or directory
$ git push # ...yet this works: ssh-agent is forwarded
Enumerating objects: 5, done.
To be honest about the limits, the allow-list blocks connections to unknown servers, not to ones you've allowed: github.com is pre-allowed and the forwarded ssh-agent can push, so treat anything the agent can read as something it could publish. The security model spells this out.
And if the agent wrecks the VM, run clawk destroy && clawk: a fresh VM, same
repo, and --resume restores the conversation.
[!IMPORTANT] Pre-1.0 and moving fast. Expect breaking changes between releases and the occasional rough edge; things can and will break. Please file issues; that feedback is shaping 1.0.
rm -rf, package installs, and untrusted code can't reach your
host, your files, or anything you didn't explicitly share.cd into a repo and run clawk. No
Dockerfile, devcontainer, or setup file. First boot builds a rootfs from
your image; every boot after takes seconds.git push works without keys entering the VM.clawk is a general-purpose local environment for autonomous coding agents. The VM is the point: it's a whole machine the agent can own, not a process wrapped in policy on the one you're using.
/dev/kvm-shaped expectations, so tools behave the way their docs say,
without a syscall-filter surprise./etc, load a module,
bind a privileged port. It's the agent's box to reconfigure.clawk destroy && clawk away, with your repo and conversations
untouched on the host.That combination runs workloads a restricted process sandbox tends to fight you on:
None of this is the product; clawk is for local agent work in general. Docker and Kubernetes are just the sharpest example of "needs a real machine, not a sandboxed process."
Requires macOS 14+ on Apple silicon. (Linux is supported via firecracker and currently experimental; see VM providers for the gaps. This README is macOS-first.)
brew install clawkwork/tap/clawk
From source (contributors, or if you don't use Homebrew), needs Go 1.26+:
git clone https://github.com/clawkwork/clawk && cd clawk
make install
Either way there's no extra host tooling: no Docker, no qemu, no sudo. The hypervisor is Apple's Virtualization.framework, linked into the binary. First run probes for anything missing and offers to fix it.
Uninstall: clawk destroy your sandboxes, rm -rf ~/.clawk, then remove
the binary with brew uninstall clawk (or delete it from $GOBIN for a
source install). Nothing else was installed: there are no launchd jobs; the
per-sandbox daemons are ordinary processes that exit with their VMs.
The everyday case, a sandbox for the directory you're in:
cd ~/code/my-project
clawk # boot a sandbox for this dir + attach claude
clawk run shell # drop into a shell in the same sandbox
clawk run codex # or another agent: codex, opencode, shell
clawk down # stop the VM (repo + agent state persist)
clawk attach # come back later — boots if stopped, reattaches claude
clawk destroy # remove the VM (conversation history is kept)
Common options:
clawk run claude -- --resume # pass args through to the agent
clawk forward add my-project 3000 # expose a guest dev server on localhost:3000
clawk network allow my-project api.example.com
Working on a ticket that spans several repositories? One command creates a
sandbox with a git worktree per repo on a fresh branch, and clawk pr later
opens cross-linked PRs for whatever changed:
cd ~/code/my-workspace # contains a clawk.mod listing the repos
clawk work INFRA-123 # one sandbox, a worktree per repo, claude attached
clawk pr INFRA-123 # push branches + open one PR per repo
The full ticket lifecycle (status, follow-up branches after merges, rebases) is in docs/ticket-mode.md.
Tip: using Claude Code? Run
claude setup-tokenthenclawk auth set-tokenonce, and every sandbox comes up already signed in, with no/loginand no login conflicts between parallel sandboxes. See docs/claude-auth.md.
One rule governs persistence: the VM is disposable; everything you'd miss lives on the host.
clawk down |
clawk destroy |
|
|---|---|---|
| Your repo (mounted worktree; commits, branches) | ✅ | ✅ |
| Agent state (Claude/Codex conversations, memory) | ✅ | ✅ |
The VM disk (apt installs, caches, $HOME) |
❌ (rebuilt fresh at every boot*) | ❌ (that's the point) |
* Two exceptions: resuming a clawk snapshot restores the disk and
memory exactly as suspended, and the Linux/firecracker provider keeps
its disk until destroy. Tools every boot needs belong in the image
(vm ( image … )); per-boot setup belongs in on up hooks.
Agent state is host-mounted per sandbox: the guest's ~/.claude/projects/
and ~/.claude/memory/ (and codex's ~/.codex/) live under
~/.clawk/namespaces/default/state/<name>/ on the host, so a recreated
sandbox picks up its old conversations with --resume.
--safe opt-out)Runners launch in their "externally sandboxed" modes: claude gets
--dangerously-skip-permissions, codex gets
--dangerously-bypass-approvals-and-sandbox. On your own machine those flags
would be reckless; here they are the point: the VM boundary and the network
allow-list provide the containment, so the agent works at full speed without
per-action prom