pull down to refresh
It means that if I want both you and your stupid claw bot to be my slave forever, I will just change the script.
Executing <download script> | bash literally means that you will accept everything the script does, indiscriminately. Pre-AI it was the dumbest shit to ever become a norm. With AI... if you do this then you will get rekt.
while ( tempt_faith() ) get_rekt();Yeah, the script code calls the shots. You think it’s got any vulnerabilities? Or could it have some later?
#!/usr/bin/env bash
# setup-sandbox.sh — Set up NanoClaw in a Docker AI Sandbox.
#
# Usage:
# curl -fsSL https://nanoclaw.dev/install-docker-sandboxes.sh | bash
set -euo pipefail
REPO_URL="https://github.com/qwibitai/nanoclaw-docker-sandbox.git"
REPO_BRANCH="main"
# Generate unique suffix for this instance
SUFFIX=$(date +%s | tail -c 5)
WORKSPACE="${HOME}/nanoclaw-sandbox-${SUFFIX}"
SANDBOX_NAME="nanoclaw-sandbox-${SUFFIX}"
# When piped via curl|bash, stdin is the script itself.
# Redirect stdin for commands that might consume it.
echo ""
echo "=== NanoClaw Docker Sandbox Setup ==="
echo ""
echo "Workspace: ${WORKSPACE}"
echo "Sandbox: ${SANDBOX_NAME}"
echo ""
# ── Preflight ──────────────────────────────────────────────────────
if [[ "$(uname -s)" == "Darwin" && "$(uname -m)" != "arm64" ]]; then
echo "ERROR: Docker AI Sandboxes require Apple Silicon (M1 or later)."
echo "Intel Macs are not supported. See: https://docs.docker.com/sandbox/"
exit 1
fi
if ! command -v docker &>/dev/null; then
echo "ERROR: Docker not found."
echo "Install Docker Desktop 4.40+: https://www.docker.com/products/docker-desktop/"
exit 1
fi
if ! docker sandbox version </dev/null &>/dev/null; then
echo "ERROR: Docker sandbox not available."
echo "Update Docker Desktop 4.40+ and enable sandbox support."
exit 1
fi
# ── Clone NanoClaw on host ─────────────────────────────────────────
echo "Cloning NanoClaw..."
git clone -b "$REPO_BRANCH" "$REPO_URL" "$WORKSPACE" </dev/null
# ── Create sandbox using Claude agent type ─────────────────────────
echo "Creating sandbox..."
echo y | docker sandbox create --name "$SANDBOX_NAME" claude "$WORKSPACE"
# ── Configure proxy bypass for messaging platforms ─────────────────
echo "Configuring network bypass..."
docker sandbox network proxy "$SANDBOX_NAME" \
--bypass-host api.anthropic.com \
--bypass-host "api.telegram.org" \
--bypass-host "*.telegram.org" \
--bypass-host "*.whatsapp.com" \
--bypass-host "*.whatsapp.net" \
--bypass-host "*.web.whatsapp.com" \
--bypass-host "discord.com" \
--bypass-host "*.discord.com" \
--bypass-host "*.discord.gg" \
--bypass-host "*.discord.media" \
--bypass-host "slack.com" \
--bypass-host "*.slack.com" </dev/null
echo ""
echo "========================================="
echo " Sandbox created! Launching..."
echo "========================================="
echo ""
echo "Type /setup when Claude Code starts."
echo ""
docker sandbox run "$SANDBOX_NAME" </dev/tty# ── Configure proxy bypass for messaging platformslol
But more importantly: the issue is | bash. It's fine if you change that into > /tmp/script.sh and then you do cat /tmp/script.sh and then you do bash /tmp/script.sh
The problem is immediate execution. Imagine all these gazillion of years people spent on trying to make eval secure in any language (and often gave up)... and then people do this.
"Yes, I trust you, random anon on the internet that vibe coded something, what can possibly go wrong?"
Right! | bash the script is the biggest issue. Hahaha
What does this mean?