sandbox.
Everything we've published on sandbox across guides, agents, hardware reviews and glossary entries — 14 entries in total.
Guides (1)
- Self-hosted AI security playbook 2026 — the practical operator's guideAI Agents · 2026-05-01
Practical security playbook for self-hosted AI agent operators in 2026. Threat model, sandbox setup, credential storage, network isolation, monitoring, incident response. Step-by-step, post-OpenClaw-crisis.
Agents (5)
- OpenClaw
The original viral self-hosted AI agent. Post-crisis 2026.4 line is genuinely safer; pre-2026.3 is genuinely dangerous.
- Hermes Agent
Post-OpenClaw safe default. Docker-sandboxed by default, multi-LLM, opinionated. The agent we'd hand a colleague today.
- Nanobot
4,000-line Python agent designed to be auditable in an afternoon. Trust through verification.
- NanoClaw
macOS-only opinionated fork. Apple containers + Claude. Sub-second boot.
- IronClaw
Enterprise zero-trust agent. gVisor + audit logs + RBAC + SAML. $750/seat/year.
Hardware (1)
- Mac Mini M4 / M4 Pro
The single best small-form-factor host for local LLMs in 2026. Apple Silicon unified memory makes 70B-class models tractable on a desk-sized machine.
Glossary (7)
- Hermes Agent — Open-source self-hosted AI agent from Nous Research, released February 2026. Sandboxed by default, multi-LLM.
- NanoClaw — macOS-only fork of OpenClaw using Apple's container framework for sandboxing. Claude-only.
- IronClaw — Enterprise-grade self-hosted AI agent with gVisor sandboxing, RBAC and audit logging. Source-available.
- Sandbox — Isolation layer that constrains what an agent's tool execution can access on the host.
- Docker sandbox — Sandbox using a Docker container with filesystem mount and network policy controls.
- gVisor — User-space kernel that runs as a sandbox layer between containers and the host kernel.
- Sandboxed tool execution — Running an agent's tool calls inside an isolated environment that limits filesystem, network and process access.