← all repositories
clawkwork/clawk

Your coding agent gets a throwaway VM; your laptop keeps its secrets

It exists because babysitting every agent command—or blindly trusting `--dangerously-skip-permissions`—is a terrible way to work.

540 stars Go Coding Assistants
clawk
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

clawk is a local sandbox manager that wraps coding agents like Claude Code or Codex inside a disposable Linux microVM. Your repository mounts into the guest, where the agent gets root and a restricted network, while your host filesystem, SSH keys, and keychain stay physically outside the boundary. If the agent trashes the environment, you destroy the VM and boot a fresh one; your code and conversation history remain untouched on the host.

The interesting bit

The isolation is hardware-backed, not a prompt-engineering prayer: on macOS it uses Apple’s Virtualization.framework directly—no Docker, no QEMU, no sudo—so the guest runs its own kernel and the host was simply never mounted. Rather than fighting agent autonomy, the tool embraces it, launching Claude or Codex in their "dangerously skip permissions" modes because the VM boundary and network allow-list are meant to be the real containment.

Key highlights

  • Agents run in a full Linux VM with its own kernel, not a wrapped process sandbox.
  • Network is deny-by-default with a DNS-aware allow-list; common registries and GitHub are pre-approved.
  • Multi-repo "ticket mode" spins up coordinated git worktrees across several repositories.
  • Any OCI image can serve as the guest rootfs, so the environment matches your toolchain exactly.
  • Agent conversations and memory persist on the host even when the disposable VM disk is erased.

Caveats

  • Explicitly pre-1.0 with breaking changes expected between releases.
  • macOS 14+ on Apple silicon is the primary target; Linux support via Firecracker is experimental and has documented gaps.
  • The security model notes that while unknown outbound hosts are blocked, pre-approved destinations like GitHub and a forwarded ssh-agent mean a compromised agent could still exfiltrate data it can read from the mounted repo.

Verdict

Developers who want coding agents to install packages, bind ports, and run tests at full speed without risking their host machine should try this. If you are already comfortable with container-based agent sandboxes or need a stable, cross-platform release, wait for 1.0.

Frequently asked

What is clawkwork/clawk?
It exists because babysitting every agent command—or blindly trusting `--dangerously-skip-permissions`—is a terrible way to work.
Is clawk open source?
Yes — clawkwork/clawk is open source, released under the Apache-2.0 license.
What language is clawk written in?
clawkwork/clawk is primarily written in Go.
How popular is clawk?
clawkwork/clawk has 540 stars on GitHub.
Where can I find clawk?
clawkwork/clawk is on GitHub at https://github.com/clawkwork/clawk.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.