So here's the thing — we're all letting AI agents run wild on our machines. Claude Code, Codex, Gemini CLI... they have access to your filesystem, your network, your API keys, everything. We just... trust them? Hope they don't rm -rf something important or exfiltrate data to some random endpoint?
I've been thinking about this problem for a while and I built something about it.
Meet Clawcage
Clawcage is a native macOS app that sandboxes AI agents inside fully isolated Linux VMs using Apple's Virtualization.framework. Every agent runs in an air-gapped environment with no direct internet access, a read-only root filesystem and a scratch disk that gets wiped on every boot.
Think of it as a jail for your AI agents — they can do their work, but they can't touch anything they shouldn't.
What problem does this actually solve?
When you run claude or codex in your terminal, that agent has your permissions. It can read your SSH keys, your .env files, your browsing history. It can make network requests to anywhere. Most of the time it's fine. But "most of the time" isn't a security model.
Clawcage gives you:
- Hardware-level VM isolation — not containers, not namespaces, actual Stage 2 page table isolation via Apple Silicon. There's no shared memory between host and guest.
- Air-gapped networking — there's literally no NIC in the VM. All traffic goes through a MITM proxy on the host where you set domain-level allow/block policies.
- Credential isolation — your API keys never enter the VM. The host-side proxy injects them into outgoing requests. The agent only sees placeholder values.
- Full visibility — every HTTP request, tool call, file change, running process — you can see it all in real time.
- Ephemeral by default — VMs are stateless. Nothing survives across sessions unless you explicitly choose persistence.
You're not locked into any vendor either. Run Claude, Gemini, ChatGPT, Codex, or literally any CLI tool you want inside the sandbox.
The stack
Built with Rust, Tauri 2.0 and React. The guest runs a minimal Linux VM (no systemd, no services — PID 1 is a tiny init script). Boot time is around 10 seconds.
The whole thing is basically:
- Host creates a VM with a serial console and vsock device
- Guest boots Linux, sets up air-gapped networking, launches a PTY agent
- Terminal I/O bridges through vsock to an xterm.js frontend
- HTTPS traffic gets intercepted by the MITM proxy for inspection and policy enforcement
It's free and open source
Clawcage is open source on GitHub. Download the .dmg from the releases page, drag it to Applications and you're running.
Requirements: macOS 13+ on Apple Silicon. That's it.
Fair warning: this is a solo project
I'm building this by myself. It works — I use it daily — but it's expected to have rough edges. Things might break. The UI might have quirks. Some features are still being built out.
That said, if you're into systems programming, security tooling, Rust, or Tauri — contributions are very welcome. The codebase is well-documented and the architecture is pretty straightforward once you get the vsock/proxy mental model.
Some areas where help would be awesome:
- Testing on different macOS versions and hardware configs
- Network policy rule suggestions
- UI/UX improvements
- Bug reports (seriously, even "this feels weird" is useful feedback)
What's next
I'm actively working on this and shipping updates frequently. If there's enough interest I'll write follow-up articles diving deeper into the architecture — how the MITM proxy works, the credential isolation model, the ephemeral VM design, etc.
Try it out
- Website: clawcage.hackyguru.com
- GitHub: github.com/hackyguru/clawcage
- Follow me: x.com/hackyguru for updates
Give it a spin, break things, open issues, or just tell me what you think. Would love to hear from anyone else who's been thinking about AI agent security.
If you found this useful, a star on GitHub goes a long way for a solo dev project.
Top comments (0)