zlacker

[return to "Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation"]
1. thepoe+I2[view] [source] 2026-02-01 23:15:09
>>jimmin+(OP)
One of the things that makes Clawdbot great is the allow all permissions to do anything. Not sure how those external actions with damaging consequences get sandboxed with this.

Apple containers have been great especially that each of them maps 1:1 to a dedicated lightweight VM. Except for a bug or two that appeared in the early releases, things seem to be working out well. I believe not a lot of projects are leveraging it.

A general code execution sandbox for AI code or otherwise that used Apple containers is https://github.com/instavm/coderunner It can be hooked to Claude code and others.

◧◩
2. jckahn+X8[view] [source] 2026-02-02 00:06:51
>>thepoe+I2
> One of the things that makes Clawdbot great is the allow all permissions to do anything.

Is this materially different than giving all files on your system 777 permissions?

◧◩◪
3. the_fa+Ci[view] [source] 2026-02-02 01:35:17
>>jckahn+X8
> Is this materially different than giving all files on your system 777 permissions?

Yes, because I can't read or modify your files over the internet just because you chmod'ed them to 777. But with Clawdbot, I can!

[go to top]