Run NanoClaw in Docker Sandboxes with One Command \ stacker news

pull down to refresh

Run NanoClaw in Docker Sandboxes with One Command nanoclaw.dev/blog/nanoclaw-docker-sandboxes

88 sats \ 10 comments \ @0xbitcoiner 13 Mar AI

We announced today that we’ve partnered with Docker to enable running NanoClaw in Docker Sandboxes with one command. You can read Docker’s blog post here.
Get StartedGet Started


# macOS (Apple Silicon)

curl -fsSL [https://nanoclaw.dev/install-docker-sandboxes.sh](https://nanoclaw.dev/install-docker-sandboxes.sh) | bash

# Windows (WSL)

curl -fsSL [https://nanoclaw.dev/install-docker-sandboxes-windows.sh](https://nanoclaw.dev/install-docker-sandboxes-windows.sh) | bash

This handles the clone, setup, and Docker Sandbox configuration. You can also install manually from source.
Note: Docker Sandboxes are currently supported on macOS (Apple Silicon) and Windows (x86), with Linux support rolling out in the coming weeks.
Once it’s running, every agent gets its own isolated container inside a micro VM. No dedicated hardware needed. No complex setup.

...read more at nanoclaw.dev

view all related items

48 sats \ 7 replies \ @optimism 13 Mar

Imagine on your main box you C&P curl .. | bash in the terminal and then you think you did a great job because it said sandbox.

115 sats \ 6 replies \ @0xbitcoiner OP 13 Mar

What does this mean?

48 sats \ 5 replies \ @optimism 13 Mar

It means that if I want both you and your stupid claw bot to be my slave forever, I will just change the script.

Executing <download script> | bash literally means that you will accept everything the script does, indiscriminately. Pre-AI it was the dumbest shit to ever become a norm. With AI... if you do this then you will get rekt.

while ( tempt_faith() ) get_rekt();

115 sats \ 4 replies \ @0xbitcoiner OP 13 Mar

Yeah, the script code calls the shots. You think it’s got any vulnerabilities? Or could it have some later?

#!/usr/bin/env bash
# setup-sandbox.sh — Set up NanoClaw in a Docker AI Sandbox.
#
# Usage:
#   curl -fsSL https://nanoclaw.dev/install-docker-sandboxes.sh | bash

set -euo pipefail

REPO_URL="https://github.com/qwibitai/nanoclaw-docker-sandbox.git"
REPO_BRANCH="main"

# Generate unique suffix for this instance
SUFFIX=$(date +%s | tail -c 5)
WORKSPACE="${HOME}/nanoclaw-sandbox-${SUFFIX}"
SANDBOX_NAME="nanoclaw-sandbox-${SUFFIX}"

# When piped via curl|bash, stdin is the script itself.
# Redirect stdin for commands that might consume it.

echo ""
echo "=== NanoClaw Docker Sandbox Setup ==="
echo ""
echo "Workspace: ${WORKSPACE}"
echo "Sandbox:   ${SANDBOX_NAME}"
echo ""

# ── Preflight ──────────────────────────────────────────────────────
if [[ "$(uname -s)" == "Darwin" && "$(uname -m)" != "arm64" ]]; then
  echo "ERROR: Docker AI Sandboxes require Apple Silicon (M1 or later)."
  echo "Intel Macs are not supported. See: https://docs.docker.com/sandbox/"
  exit 1
fi

if ! command -v docker &>/dev/null; then
  echo "ERROR: Docker not found."
  echo "Install Docker Desktop 4.40+: https://www.docker.com/products/docker-desktop/"
  exit 1
fi

if ! docker sandbox version </dev/null &>/dev/null; then
  echo "ERROR: Docker sandbox not available."
  echo "Update Docker Desktop 4.40+ and enable sandbox support."
  exit 1
fi

# ── Clone NanoClaw on host ─────────────────────────────────────────
echo "Cloning NanoClaw..."
git clone -b "$REPO_BRANCH" "$REPO_URL" "$WORKSPACE" </dev/null

# ── Create sandbox using Claude agent type ─────────────────────────
echo "Creating sandbox..."
echo y | docker sandbox create --name "$SANDBOX_NAME" claude "$WORKSPACE"

# ── Configure proxy bypass for messaging platforms ─────────────────
echo "Configuring network bypass..."
docker sandbox network proxy "$SANDBOX_NAME" \
  --bypass-host api.anthropic.com \
  --bypass-host "api.telegram.org" \
  --bypass-host "*.telegram.org" \
  --bypass-host "*.whatsapp.com" \
  --bypass-host "*.whatsapp.net" \
  --bypass-host "*.web.whatsapp.com" \
  --bypass-host "discord.com" \
  --bypass-host "*.discord.com" \
  --bypass-host "*.discord.gg" \
  --bypass-host "*.discord.media" \
  --bypass-host "slack.com" \
  --bypass-host "*.slack.com" </dev/null

echo ""
echo "========================================="
echo "  Sandbox created! Launching..."
echo "========================================="
echo ""
echo "Type /setup when Claude Code starts."
echo ""

docker sandbox run "$SANDBOX_NAME" </dev/tty

48 sats \ 3 replies \ @optimism 13 Mar

# ── Configure proxy bypass for messaging platforms

lol

But more importantly: the issue is | bash. It's fine if you change that into > /tmp/script.sh and then you do cat /tmp/script.sh and then you do bash /tmp/script.sh

The problem is immediate execution. Imagine all these gazillion of years people spent on trying to make eval secure in any language (and often gave up)... and then people do this.

"Yes, I trust you, random anon on the internet that vibe coded something, what can possibly go wrong?"

115 sats \ 2 replies \ @0xbitcoiner OP 13 Mar

Right! | bash the script is the biggest issue. Hahaha

48 sats \ 1 reply \ @optimism 13 Mar

Yeah! Please remember that next post 😂

15 sats \ 0 replies \ @0xbitcoiner OP 13 Mar

#!/bin/bash

while true
do
  echo "Don’t run scripts without checking the code first."
done

reply on another page

26 sats \ 1 reply \ @freetx 13 Mar

Thats a great approach, in general I think the future is to have this type of things built into the router / orchestrator code itself (ie. inside openwebUI or Cursor itself) so everything is done inside a container (ie. no more "rm -fr /" on base OS)

43 sats \ 0 replies \ @optimism 13 Mar

check out docker agent - it has ACP.