PocketClawvol. 1 · 2026
term

Sandbox

Isolation layer that constrains what an agent's tool execution can access on the host.

Modern self-hosted agents use Docker containers, Apple containers, gVisor, or Workers runtimes as sandboxes. The sandbox enforces filesystem boundaries, network egress allowlists and resource limits. Sandbox-on-by-default is the post-OpenClaw-crisis baseline expectation.

Related terms

Docker sandboxgVisorTool call

Found a definition that's wrong, dated or could be sharper? Email us — we update with attribution unless you'd rather we didn't.