clawker
Put your agents in containers
where they belong.
Isolated, firewalled, policy-gated, monitored, credential-forwarding container environments for your Claude Code agents — secure by default. One CLI.
Handing the keys to a mythos-class Fable 5 agent? You especially want the sandbox.
Harness the harness
A padded cell for AI coding agents — how clawker's container security model compares to running Claude Code bare metal or in sandbox mode.
"Prompt injection can change the agent's intent, but it can't change the container's constraints."
— the threat model
Go deeper: egress firewall architecture · system architecture · container internals
brew install schmitthub/tap/clawker curl -fsSL https://clawker.dev/install.sh | bash Features
all the negative parallelisms, rule of threes, and em dashes below compliments of ai slop... ain't no way i was gunna write the splash page myself
Agent-in-Container
Each Claude Code agent gets its own sandboxed Docker container with embedded Dockerfile templates and a purpose-built init daemon. Alpine or Debian, your call.
Docs →Fresh or Copy Agent Mode
Clean install or seamless transition — bring your existing Claude Code settings, plugins, skills, and auth along for the ride. Config and memory persist in volumes across container restarts.
Bind or Snapshot
Live-sync your workspace with bind mounts, or give the agent a snapshot copy for pure isolation. You pick the sandbox level.
Kernel-Side Egress Firewall
Deny-by-default networking via Envoy, CoreDNS, and eBPF — unlisted domains don't even resolve. TLS inspection enables path- and method-level rules, enforced kernel-side where the agent holds no privileges. Per-project rules via clawker.yaml.
Docs →Credential Forwarding
SSH agent, GPG agent, git HTTPS, and Claude Code auth forwarded from your host automatically — private keys never enter the container. No copy-pasting secrets.
Docs →Jailed Docker
A guardrail layer between clawker and Docker that prevents operations on resources created outside of clawker. You won't accidentally nuke unrelated containers, networks, or volumes.
Docs →Project Namespace Isolation
Container resources scoped per-project. Run multiple projects simultaneously without stepping on each other's toes.
Dedicated Docker Network
All clawker resources live on the same clawker-net Docker network for easy communication.
Git Worktrees
Run parallel agents on separate branches with a single flag. Clawker handles worktree lifecycle, and host-path mirroring keeps Claude Code /resume working across container restarts.
Docs →Host Proxy Service
Browser authentication callbacks forwarded from container to host. OAuth flows just work — zero config.
Injectable Build Instructions
Custom packages, environment variables, and scripts injected at container build time. Your Dockerfile, your rules.
Docs →Lifecycle Hooks
post_init scripts that run once after container init, plus pre_run hooks on every start. Perfect for MCP server setup, custom tooling, or whatever your workflow needs.
Control Plane
A per-host supervisor that owns the firewall lifecycle, eBPF programs, and the agent identity registry. mTLS gRPC with OAuth2 — and if the control plane dies, firewall rules stay pinned in the kernel. Fail closed, not open.
Docs →Monitoring & Observability
Real-time insight into your agents' tool calls, decisions, costs, and token usage. Optional OpenTelemetry stack with Prometheus metrics, OpenSearch logs, and preinstalled Claude Code Cost & Usage dashboards out of the box.
Docs →Egress Audit Trail
Every firewall decision — allowed, denied, even bypassed — logged as a structured event with per-agent attribution. Records travel an mTLS-authenticated lane agents can't forge. Bypass mode is no longer a forensic black hole.
Docs →Frequently Asked Questions
How do I sandbox Claude Code?
Run it in a container. clawker builds an isolated Docker container per agent with a deny-by-default egress firewall, forwards your git credentials and Claude Code settings in, and gives you a single CLI to build, run, and attach. One command: clawker run.
Is it safe to run Claude Code with --dangerously-skip-permissions?
On your host, you are trusting the agent with your filesystem, credentials, and network. Inside a clawker container the blast radius is the container: the workspace is the only host data mounted in, outbound traffic is blocked unless whitelisted, and the agent runs unprivileged with no Linux capabilities.
How is clawker different from devcontainers or Claude Code sandbox mode?
Devcontainers hand you a container and stop there. clawker ships the infrastructure around it: a control plane and kernel-side firewall stack in a box, agents seeded with auth material for provenance and trust, a custom PID 1 supervisor that executes control-plane commands, OpenTelemetry monitoring pre-built for Claude Code and security events, and Claude Code memory that persists between environments. Sandbox mode restricts the process — but it still shares your host.
Which models does clawker work with?
Any model Claude Code can run — clawker contains the harness, not the model. That includes Anthropic models from Haiku and Sonnet up to mythos-class Fable 5.
What platforms does clawker support?
macOS and Linux, with Docker installed and running. Install via Homebrew (brew install schmitthub/tap/clawker) or the shell script. Windows is not currently supported.
Does clawker protect against prompt injection?
clawker does not try to filter content — LLMs can be coerced through base64, steganography, even ancient languages, and that is an arms race you cannot win. It constrains the network instead: prompt injection can change the agent's intent, but it cannot change the container's constraints. If the agent is coerced into exfiltration, the firewall blocks the egress and the attempt lands in the audit trail.
Can the agent still reach the internet?
Only where you allow it. DNS for unlisted domains returns NXDOMAIN, and allowed domains can be scoped down to specific URL paths and HTTP methods via per-project rules in clawker.yaml.
Get Started
macOS and Linux. Needs Docker.
brew install schmitthub/tap/clawker curl -fsSL https://clawker.dev/install.sh | bash Read the documentation to learn more.