by mensfeld
Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.
# Add to your Claude Code skills
git clone https://github.com/mensfeld/code-on-incusGuides for using ai agents skills like code-on-incus.
Last scanned: 5/15/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-15T06:58:25.241Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}code-on-incus is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by mensfeld. Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically. It has 585 GitHub stars.
Yes. code-on-incus passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/mensfeld/code-on-incus" and add it to your Claude Code skills directory (see the Installation section above).
code-on-incus is primarily written in Python. It is open-source under mensfeld on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh code-on-incus against similar tools.
No comments yet. Be the first to share your thoughts!
coi)Isolated machines for AI coding agents - with active defense.
COI gives each AI agent its own machine - a full system container with root access, systemd, Docker, and the ability to install anything. Agents work like they would on a real server: run services, manage packages, use cron - without touching your actual system. Files stay correctly owned, no permission hacks needed.
Your credentials stay on the host. SSH keys, environment variables, and Git tokens are never exposed to AI tools unless you explicitly mount them. If something goes wrong, COI catches it - reverse shells, credential scanning, data exfiltration - and pauses or kills the container automatically. No manual intervention needed.
Built by developers, for developers who run AI agents and want to know what those agents are doing. Not a product, not a startup - a tool that does the job.

Currently supported:
Coming soon:
Tool selection is config/profile-driven:
# ~/.coi/config.toml or ./.coi/config.toml
[tool]
name = "opencode" # or "claude" (default), "pi"
coi shell # Uses the configured tool (Claude Code by default)
coi shell --profile opencode # Or switch via a profile with [tool] name = "opencode"
Permission mode - Control whether AI tools run autonomously or ask before each action:
# ~/.coi/config.toml or .coi/config.toml
[tool]
name = "claude" # Default AI tool
permission_mode = "bypass" # "bypass" (default) or "interactive"
See the Supported Tools wiki page for detailed configuration, API key setup, and adding new tools.
Core Capabilities
Host Integration
[ssh] forward_agent = true)[[sockets]]) so the host endpoint never enters the container — the building block for credential brokers (mint short-lived tokens on the host, fetch them on demand inside). Untrusted project-config sockets are gated behind coi trust[[credentials]] entries (config or profile): reference a named catalog bundle (bundle = "ollama") or declare an ad-hoc host/container file pair for anything not yet cataloged. claude/opencode/pi's own credential files come from the same built-in catalog. Ad-hoc entries from an untrusted project .coi/config.toml are gated behind coi trust; catalog references carry the same trust level the built-in tool credentials already haveforward_env in config)[defaults.env_commands]) — for short-lived API keys/tokens. Trusted-scope config only[timezone] config)~/SANDBOX_CONTEXT.md tells AI tools about their environment (network mode, workspace path, persistence, etc.). Automatically loaded into each tool's native context system: Claude Code via ~/.claude/CLAUDE.md, OpenCode via the instructions field in opencode.json, pi via ~/.pi/agent/APPEND_SYSTEM.md symlink (opt out with auto_context = false)Security & Isolation
.env files, Git credentials, and environment variables are never exposed unless explicitly mountedsecurity.privileged=true is detected, which defeats all container isolationcoi health checks seccomp, AppArmor, and privilege settings to confirm full isolation.git/hooks, .git/config, .husky, .vscode mounted read-only to prevent supply-chain attackschattr +i during sessions, preventing unshare -m + umount bypass of read-only mounts (opt out: [security] host_immutable = false)user.useConfigOnly=true, preventing AI tools from committing as the default "code" user/dev/incus) disabled by default, preventing host path and topology leaksSafe Dangerous Operations
# Install
curl -fsSL https://raw.githubusercontent.com/mensfeld/code-on-incus/master/install.sh | bash
# Build image (first time only, ~5-10 minutes)
coi build
# Start coding with your preferred AI tool (defaults to Claude Code)
cd your-project
coi shell
# Or use opencode instead (config-driven: [tool] name = "opencode",
# or a profile: coi shell --profile opencode)
# That's it! Your AI coding assistant is now running i