February 28, 2026

Cage your bot, save your inbox

Article URL →HN comments →

Don't trust AI agents

Lock up your robot helpers — users say cages, not guardrails

TLDR: A developer says treat AI helpers like untrusted guests and lock each one in its own disposable sandbox with NanoClaw. Commenters split between “obvious,” “containers won’t save you from tricked prompts,” and “just give assistants no permissions,” making it clear safety beats convenience—and your inbox is on the line.

The internet heard “Don’t trust AI agents” and screamed back: finally. Developer Gavriel Cohen unveiled NanoClaw, a “put-your-bot-in-a-box” setup where every AI helper runs in its own disposable mini-jail, and took a swing at rival OpenClaw for running loose on your computer by default. He also dragged OpenClaw’s giant codebase—hundreds of thousands of lines—as a bug buffet, even citing Microsoft’s analysis.

But the comments turned it into a street fight. One camp shrugged “d’uh,” like we’ve known the bots are sneaky. The doomers piled on: “Docker is not a security boundary,” warning you’re one bad prompt away from giving up your email. Minimalists countered with a flex: their assistants have zero permissions and still handle to-dos, reminders, and web searches—no chaos, no drama. The big skeptics fired back that even a “tiny jail” isn’t enough; if a bot can touch your inbox, it can wreck your day, containers or not, and we need a whole new playbook.

Meanwhile, the peanut gallery memed it up with “tiny jail” vs. “leaky sandbox” jokes and a bureaucracy metaphor: bloated code is the new paper-pushing—jobs for lines of code, not safety. Verdict? The community loves the cage imagery, but they’re still not sleeping easy.

Key Points

  • The article advocates treating AI agents as untrusted and designing systems to contain potential misbehavior.
  • NanoClaw uses per-agent, ephemeral container isolation (Docker or Apple container on macOS) with least-privilege access and OS-enforced boundaries.
  • OpenClaw runs on the host by default; even with sandboxing enabled, agents share a container, creating leakage risks.
  • NanoClaw implements defense-in-depth: a mount allowlist blocking sensitive paths by default, externalized configs, and read-only host mounts to prevent persistence.
  • OpenClaw’s large, rapidly written codebase is flagged as a security risk; Microsoft’s analysis is cited as confirming risks via normal API calls.

Hottest takes

"Docker is not a security boundary" — smallpipe
"We need a fundamentally different approach" — VladVladikoff
"My assistant has no permissions at all and is just as useful" — himata4113

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.