The most common sandbox model in 2026. Hermes Agent and post-2026.3 OpenClaw both use Docker sandboxes. Strong against typical attack vectors but not impervious — kernel-level escape is theoretical and gVisor or Apple containers are stronger options for high-stakes deployments.
Related terms
Found a definition that's wrong, dated or could be sharper? Email us — we update with attribution unless you'd rather we didn't.