The tension between enabling powerful autonomous agents and protecting systems from their mistakes is becoming one of the defining technical challenges of 2026. A partnership between NanoClaw, an open-source AI agent platform, and Docker attempts to address this by layering isolation mechanisms, creating what developers call defence in depth.
NanoClaw, an open source agent platform, can now run inside Docker Sandboxes, furthering the project's commitment to security. Users can now install NanoClaw into a Docker Sandbox, a kind of micro VM that is more secure than a container because it is isolated from the host system. A container is an isolated process on a shared kernel; micro VMs have their own kernel.
"With Docker Sandboxes, that boundary is now two layers deep," explained Gavriel Cohen, co-founder of NanoClaw, in a blog post. The model works like Russian nesting dolls: each agent runs in its own container, isolated from other agents, and all containers run inside a microVM isolated from the host machine. "Security has to be enforced outside the agentic surface, not depend on the agent behaving correctly."
This architecture responds directly to the security crisis that has consumed the broader AI agent ecosystem. NanoClaw followed from an effort to address the security holes opened by OpenClaw, which attracted widespread attention earlier this year as a way to empower AI models to roam about the web and operate applications on users' behalf and without many constraints. A security audit conducted in late January 2026 identified a full 512 vulnerabilities, eight of which were classified as critical. Beyond the code flaws, OpenClaw has been found susceptible to multiple vulnerabilities ranging from moderate to high severity, that could result in remote code execution, command injection, server-side request forgery, authentication bypass, and path traversal.
The philosophical difference between the two approaches is instructive. OpenClaw runs directly on the host machine by default. It has an opt-in Docker sandbox mode, but it is turned off out of the box, and most users never turn it on. Without it, security relies entirely on application-level checks: allowlists, confirmation prompts, a set of "safe" commands. NanoClaw inverts this: In NanoClaw, container isolation is a core part of the architecture. Each agent runs in its own container, on Docker or an Apple Container on macOS. Containers are ephemeral, created fresh per invocation and destroyed afterward. The agent runs as an unprivileged user and can only see directories that have been explicitly mounted in.
The core problem, as Mark Cavage, Chief Operating Officer of Docker, framed it, is a collision between two fundamentally opposed principles. "Agents fundamentally are different and they violate that primitive from day one. You launch the agent and the very first thing it wants to do is look at the environment, install new packages, write some files, spin up databases that are mocked. It just wants to do stuff." Docker and NanoClaw are trying to reconcile fundamentally opposed ideas: the deterministic nature of computers with the non-deterministic nature of AI models. Mixing systems predicated on predictability with unpredictable AI models is not a solved problem and is something that will occupy the industry for a while.
The practical benefit is substantial. "Once you get there, then the developers all of a sudden go from effectively babysitting the agent to just letting it run for minutes or hours or longer at a time. That's the huge productivity unlock." Docker Sandboxes are supported on macOS (Apple Silicon) and Windows (x86), with Linux support due in a few weeks.
Criticism exists, however. Some researchers note that even sandboxed execution does not solve the problem of authorisation and capability control. A sandbox controls where code runs and which local files an agent can modify. It does not control what the agent is allowed to do across systems or how confidently it interprets the task you gave it. An agent confined to a sandbox could still, if instructed via prompt injection, attempt to exfiltrate data to external servers or escalate privileges within the sandbox's scope.
Still, Docker Sandboxes let you run AI coding agents in isolated environments on your machine. Sandboxes provides a secure way to give agents autonomy without compromising your system. For developers tired of choosing between agent capability and basic system safety, the innovation addresses an immediate practical need. Whether it solves the deeper architectural challenge of building trustworthy autonomous systems remains to be seen.