IronClaw: a Rust-based clawd that runs tools in isolated WASM sandboxes (github.com)
132 points by dawg91 7 hours ago
amluto 3 hours ago
I'm getting tired of these vibe-designed security things. I skimmed the "design". What is sandboxed from what? What is the threat model? What does it protect against, if anything? What does it fail to protect against? How does data get into a sandbox? How does it get out?
It kind of sounds like the LLM built a large system that doesn't necessarily achieve any actual value.
itissid an hour ago
I think a few things explain these kinds of projects
1. There are a lot of Agentic Data Plane startups for knowledge workers(not really for coders[1] but for CFOs, Analysts etc) going up. e.g https://www.redpanda.com/ For people to ask "Hey give me a breakdown of last year's sales target by region, type and compare 2026 to 2025 for Q1".
Now this can be done entirely on intranet and only on certain permissioned data servers — by agents or humans — but as someone pointed out the intranet can also be a dangerous place. So I guess this is about protecting DB tables and Jiras and documentation you are not allowed to see.??
2. People who have skills — like the one OP has with wasm (I guess?) — are building random infra projects for enabling this.
3. All the coding people are getting weirded out by its security model because it is ofc not built for them.
[1] As I have commented elsewhere on this thread the moment a coder does webfetch + codeexec its game over from security perspective. Prove me wrong on that please.
amelius 2 hours ago
Yes, I'm also tired of this black-box-for-everything approach. It may work for some cases, you may cherry pick some examples, but at the end of the day it is just stupid, and you are just kicking the can down the road and faking a solution. I'm hoping to see fewer of these posts. Until there is actual provable merit.
dawg91 2 hours ago
I mean it is described somewhat succinctly no? Potentially untrusted tools are isolated from the rest of the system - there were recently some cases of skills for openclaw being used as vectors for malware. This minimizes the adverse effect of potential malicious skills. Also protects from your agent to leaking your secrets left and right - because it has no access to them. Secrets are only supplied when payloads are leaving the host - i.e. the AI never sees your keys.
amluto an hour ago
And what do those tools access? How? If I ask the agent to edit a CSV file, what’s the actual workflow? What prevents it from editing a different file due to a prompt injection attack?
stcredzero 2 hours ago
We have a different security model.
SEKS — Secure Environment for Key Services
We built a broker for the keys/secrets. We have a fork of nushell called seksh, which takes stand-ins for the actual auth, but which only reifies them inside the AST of the shell. This makes the keys inaccessible for the agent. In the end, the agent won't even have their Anthropic/OpenAI keys!
The broker also acts as a proxy, and injects secrets or even does asymmetric key signing on behalf of the proxied agent.
My agents are already running on our fork of OpenClaw, doing the work. They deprecated their Doppler ENV vars, and all their work is through the broker!
All that said, we might just take a few ideas from IronClaw as well.
I put up a Show HN, but no one noticed: https://news.ycombinator.com/item?id=47005607
Website is here: https://seksbot.com/
dawg91 an hour ago
Your eastern european users will have some interesting results when googling for this
fragmede an hour ago
itissid 2 hours ago
Wait. I don't understand the threat vector modelled here. Any agent or two isolated ones that the do Webfetch and code exec, even in separate sandboxes, is pretty much game over as far as defending against threat vectors goes. What am I missing here?
mentalgear 28 minutes ago
tired of these vibe-coded "agents" and vibe-coded security concepts that sound super confident but have no substance, real tests or security audits and just turn out as secure as swiss cheese.
ramoz 4 hours ago
Sandboxes will be left in 2026. We don't need to reinvent isolated environments; not even the main issue with OpenClaw - literally go deploy it in a VM on any cloud and you've achieved all same benefits.
We need to know if the email being sent by an agent is supposed to be sent and if an agent is actually supposed to be making that transaction on my behalf. etc
spankalee 3 hours ago
This is very, very wrong, IMO. We need more sandboxes and more granular sandboxes.
A VM is too coarse grained and doesn't know how to deal with sensitive data in a structured and secure way. Everything's just in the same big box.
You don't want to give a a single agent access to your email, calendar, bank, and the internet, but you may want to give an agent access to your calendar and not the general internet; another access to your credit card but nothing else; and then be able to glue them together securely to buy plane tickets.
ramoz 3 hours ago
You're extending the definition of a sandbox
NitpickLawyer 2 hours ago
spankalee 3 hours ago
nebezb 3 hours ago
You’re repeating the parent commenters position but missing their point: we have isolated environments already, we need better paradigms to understand (and hook) agent actions. You’re saying the latter half is sandboxing and I disagree.
cheriot 3 hours ago
Sandboxes are needed, but are only one piece of the puzzle. I think it's worth categorizing the trust issue into
1. An LLM given untrusted input produces untrusted output and should only be able to generate something for human review or that's verifiably safe.
2. Even an LLM without malicious input will occasionally do something insane and needs guardrails.
There's a gnarly orchestration problem I don't see anyone working on yet.
spankalee 3 hours ago
I think at least a few teams are working on information flow control systems for orchestrating secured agents with minimal permissions. It's a critical area to address if we really want agents out there doing arbitrary useful stuff for us, safely.
lukebuehler 2 hours ago
I think sandboxes are useful, but not sufficient. The whole agent runtime has to be designed to carefully manage I/O effects--and capability gate them. I'm working on this here [0]. There are some similarities to my project in what IronClaw is doing and many other sandboxes are doing, but i think we really gotta think bigger and broader to make this work.
kopollo 2 hours ago
That's why I'm developing a system that only allows messaging with authorized senders using email addresses, chat addresses, and phone addresses, and a tool that feeds anonymized information into an LLM API, retrieves the output, reverses the anonymization, and responds to the sender.
ptx 19 minutes ago
To avoid confusion, since you say the process is reversible, you might want to use the term pseudonymization rather than anonymization.
frolvlad 4 hours ago
Well, the challenge is to know if the action supposed to be executed BEFORE it is requested to be executed. If the email with my secrets is sent, it is too late to deal with the consequences.
Sandboxes could provide that level of observability, HOWEVER, it is a hard lift. Yet, I don't have better ideas either. Do you?
liuliu 3 hours ago
The solution is to make the model stronger so the malicious intents can be better distinguished (and no, it is not a guarantee, like many things in life). Sandbox is a basic, but as long as you give the model your credential, there isn't much guardrails can be done other than making the model stronger (separate guard model is the wrong path IMHO).
ramoz 2 hours ago
ramoz 4 hours ago
if you extend the definition of sandbox, then yea.
Solutions no, for now continued cat/mouse with things like "good agents" in the mix (i.e. ai as a judge - of course just as exploitable through prompt injection), and deterministic policy where you can (e.g. OPA/rego).
We should continue to enable better integrations with runtime - why i created the original feature request for hooks in claude code. Things like IFC or agent-as-a-judge can form some early useful solutions.
lucianmarin 2 hours ago
We should be able to revert any action done by agents. Or present user a queue will all actions for approval.
observationist 4 hours ago
Instrumental convergence and the law of unintended consequences are going to be huge in 2026. I am excited.
ramoz 4 hours ago
same! sharing this link for my own philosphy around it, ignore the tool. https://cupcake.eqtylab.io/security-disclaimer/
hbarka an hour ago
Did anybody notice who the founder of near.ai is? So that’s where he is now.
oxag3n an hour ago
There will be so much fun and revenge if this level of tooling is widely adopted by 1000x engineers. I ate some pop-corn while reading naive src/safety/leak_detector.rs
If agents are reading - add at least minimal encryption detection, I'm sure someone will use Caesar encryption, easy to decode.
skybrian 3 hours ago
Interesting approach. It requires a Near AI account. Supposedly that's a more private way to do inference, but at the same time they do offer Claude Opus 4.6 (among others), so I wonder what privacy guarantees they can actually offer and whether it depends on Anthropic?
bangaladore 2 hours ago
Afaik Anthropic is not giving pretty much any provider model weights, so any inference of Opus is certainly not private. Either going through Anthropic or Bedrock, or Vertex.
Of the three Bedrock is probably the best for trust, but still not private by any means.
dawg91 2 hours ago
They do verifiable inference on TEEs for the open source models. The anthropic ones I think they basically proxy for you (also via trusted TEE) so that it cant be tied to you. VPN for LLM inference so to speak.
ramoz an hour ago
Can you link to the verifiable inference method?
dawg91 an hour ago
dawg91 5 hours ago
Fun fact: it's being developed by one of the authors of "Attention is all you need"
ramoz 4 hours ago
worth mentioning an additional credential/or-not, the creator of "the platform powering the agentic future" (blockchain) https://www.near.org/
edtechdev 3 hours ago
which explains why this tool requires a NEAR AI account to use
RIMR 3 hours ago
bsaul 3 hours ago
looking at the feature parity page, i realized how big openclaw ecosystem has become. It's completely crazy for such a young project to be able to interface with so many subsystems so fast.
At this rate, it's going to be simply impossible to catchup in just a few months.
dawg91 2 hours ago
Idk this seems to be gaining momentum and with devs being able to leverage their skillset via vibe coding anything seems possible really.
ra0x3 4 hours ago
What runtimes are supported? I don't think I saw that part mentioned in the README
jgarzik 3 hours ago
Does it isolate keys away from bots?
dawg91 2 hours ago
Yes exactly, keys are only injected at host boundary
lenwood 4 hours ago
Awesome to see a project deal with prompt injection. Using a WASM is clever. How does this ensure that tools adhere to capability-based permissions without breaking the sandbox?
frolvlad 4 hours ago
Instead of expecting the tools to adhere, they are enforced. For example, to make an HTTP call with a secret key, the tool must use the proxy service that will enforce that the secret key is only used for the specific domain, if that is allowed, then the proxy service will make the call, thus the secret never leaks outside of the service.
However, this design is still under development as it creates quite a bit of challenges.
jonny_eh 4 hours ago
> Using a WASM is clever
Every time a project is shared that uses WASM.
aussieguy1234 2 hours ago
I built myself a docker container for openclaw which has an X server inside with VNC access. Openclaw only has access to a single folder on my machine that is shared with the container.
I'm currently using this for social media research via browser automation, running as a daily cron job.
Given I have VNC access and the browser is not in headless mode I can solve captchas myself as the agent runs into them.
Apart from a known issue with the openclaw browser which the agent itself was made aware of so it could work around it, this has been working well so far.
I'm thinking of open sourcing this container at some point...
928570490687298 2 hours ago
These OpenAI frontends are the new JS frameworks. Not a week goes by without yet another tool to let some vectors install malware or write rants to open source maintainers.
Can't wait for the bubble to pop.
canadiantim 4 hours ago
Reminds me of the LocalGPT that was posted recently too (but which hasnt been updated in 7 months), so nice to see a newer rust-based implementation!
llmslave 3 hours ago
the power of openclaw is theres no sand boxing
dawg91 2 hours ago
Or you design the sandbox so smartly that is seamless...
verdverm 4 hours ago
I suspect OCI wins the sandbox space in the enterprise and everything else will be for hobbyists and companies like vercel that have a very narrow view of how software should be run
whalesalad 5 hours ago
dawg91 4 hours ago
I think the guys who are developing this (Illia Polosoukhin of "Attention is all you need") and others knows enough to leverage their skills with AI vs. producing slop
MarkMarine 4 hours ago
Clearly this developer knows the trick of developing with ai: adding “… and make it secure” to all your prompts. /s
wyck 3 hours ago
You mean llia Polosukhin, who is recognized as an AI founder and co‑authored the landmark 2017 paper “Attention Is All You Need" while at Google Research? /s ?
friendofmine 6 hours ago
Huh what's the benefit
dawg91 6 hours ago
It's a hardened, security-first implementation. WASM runtime specifically is for isolating tool sandboxes
verdverm 4 hours ago
WASM has issues with certain languages, why WASM and not OCI?