docker-sandbox-lucasCreate and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls.
Install via ClawdBot CLI:
clawdbot install LucasSeeley/docker-sandbox-lucasRequires:
Run agents and commands in isolated VM environments using Docker Desktop's sandbox feature. Each sandbox gets its own lightweight VM with filesystem isolation, network proxy controls, and workspace mounting via virtiofs.
docker sandbox plugindocker sandbox versiondocker sandbox create --name my-sandbox claude .This creates a VM-isolated sandbox with:
docker sandbox exec my-sandbox node --version
docker sandbox exec my-sandbox npm install -g some-package
docker sandbox exec -w /path/to/workspace my-sandbox bash -c "ls -la"# Create and run in one step
docker sandbox run claude . -- -p "What files are in this project?"
# Run with agent arguments after --
docker sandbox run my-sandbox -- -p "Analyze this codebase"# Create a sandbox (agents: claude, codex, copilot, gemini, kiro, cagent)
docker sandbox create --name <name> <agent> <workspace-path>
# Run an agent in sandbox (creates if needed)
docker sandbox run <agent> <workspace> [-- <agent-args>...]
docker sandbox run <existing-sandbox> [-- <agent-args>...]
# Execute a command
docker sandbox exec [options] <sandbox> <command> [args...]
-e KEY=VAL # Set environment variable
-w /path # Set working directory
-d # Detach (background)
-i # Interactive (keep stdin open)
-t # Allocate pseudo-TTY
# Stop without removing
docker sandbox stop <sandbox>
# Remove (destroys VM)
docker sandbox rm <sandbox>
# List all sandboxes
docker sandbox ls
# Reset all sandboxes
docker sandbox reset
# Save snapshot as reusable template
docker sandbox save <sandbox>The sandbox includes a network proxy for controlling outbound access.
# Allow specific domains
docker sandbox network proxy <sandbox> --allow-host example.com
docker sandbox network proxy <sandbox> --allow-host api.github.com
# Block specific domains
docker sandbox network proxy <sandbox> --block-host malicious.com
# Block IP ranges
docker sandbox network proxy <sandbox> --block-cidr 10.0.0.0/8
# Bypass proxy for specific hosts (direct connection)
docker sandbox network proxy <sandbox> --bypass-host localhost
# Set default policy (allow or deny all by default)
docker sandbox network proxy <sandbox> --policy deny # Block everything, then allowlist
docker sandbox network proxy <sandbox> --policy allow # Allow everything, then blocklist
# View network activity
docker sandbox network log <sandbox># Use a custom container image as base
docker sandbox create --template my-custom-image:latest claude .
# Save current sandbox state as template for reuse
docker sandbox save my-sandboxThe workspace path on the host is mounted into the sandbox via virtiofs. The mount path inside the sandbox preserves the host path structure:
| Host OS | Host Path | Sandbox Path |
|---|---|---|
| Windows | H:\Projects\my-app | /h/Projects/my-app |
| macOS | /Users/me/projects/my-app | /Users/me/projects/my-app |
| Linux | /home/me/projects/my-app | /home/me/projects/my-app |
The agent's home directory is /home/agent/ with a symlinked workspace/ directory.
Each sandbox VM includes:
/usr/local/share/npm-global/)/run/docker.sock - Docker-in-Docker capable)HTTP_PROXY=http://host.docker.internal:3128
HTTPS_PROXY=http://host.docker.internal:3128
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/proxy-ca.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/proxy-ca.crtImportant: Node.js fetch (undici) does NOT respect HTTP_PROXY env vars by default. For npm packages that use fetch, create a require hook:
// /tmp/proxy-fix.js
const proxy = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
if (proxy) {
const { ProxyAgent } = require('undici');
const agent = new ProxyAgent(proxy);
const origFetch = globalThis.fetch;
globalThis.fetch = function(url, opts = {}) {
return origFetch(url, { ...opts, dispatcher: agent });
};
}Run with: node -r /tmp/proxy-fix.js your-script.js
# Create isolated sandbox
docker sandbox create --name pkg-test claude .
# Restrict network to only npm registry
docker sandbox network proxy pkg-test --policy deny
docker sandbox network proxy pkg-test --allow-host registry.npmjs.org
docker sandbox network proxy pkg-test --allow-host api.npmjs.org
# Install and inspect the package
docker sandbox exec pkg-test npm install -g suspicious-package
docker sandbox exec pkg-test bash -c "find /usr/local/share/npm-global/lib/node_modules/suspicious-package -name '*.js' | head -20"
# Check for post-install scripts, network calls, file access
docker sandbox network log pkg-test
# Clean up
docker sandbox rm pkg-test# Create once
docker sandbox create --name dev claude ~/projects/my-app
# Use across sessions
docker sandbox exec dev npm test
docker sandbox exec dev npm run build
# Save as template for team sharing
docker sandbox save dev# Deny-all network, allow only what's needed
docker sandbox create --name secure claude .
docker sandbox network proxy secure --policy deny
docker sandbox network proxy secure --allow-host api.openai.com
docker sandbox network proxy secure --allow-host github.com
# Run agent with restrictions
docker sandbox run secure -- -p "Review this code for security issues"Update Docker Desktop to 4.49+. The sandbox plugin requires engine API v1.44+.
Node.js fetch doesn't use the proxy. Use the proxy-fix.js require hook above, or use curl instead:
docker sandbox exec my-sandbox curl -sL https://api.example.com/dataGit Bash converts /path to C:/Program Files/Git/path. Prefix commands with:
MSYS_NO_PATHCONV=1 docker sandbox exec my-sandbox ls /home/agentdocker sandbox reset # Clears all sandbox stateGenerated Mar 1, 2026
Security researchers can use Docker Sandbox to safely analyze potentially malicious code or packages without risking their host systems. The network proxy controls allow restricting connections to only trusted domains while examining suspicious behavior. This enables dynamic analysis of malware samples in an isolated environment with full network monitoring capabilities.
Online coding education platforms can provide students with isolated environments to run untrusted code submissions safely. The sandbox prevents malicious student code from affecting other users or the platform infrastructure. Network controls can restrict access to only educational resources while allowing code execution in a controlled environment.
Software development teams can test third-party npm packages or Python libraries in isolated environments before approving them for production use. The network proxy can restrict access to only package registries while preventing potential data exfiltration. This allows safe evaluation of package behavior and dependencies without risking the main development environment.
AI development teams can test autonomous agents that execute code or interact with external APIs in a controlled environment. The sandbox provides isolation for agents that might perform destructive operations during experimentation. Network controls allow safe API testing while preventing unauthorized external connections.
DevOps teams can run CI/CD pipeline steps in isolated sandboxes to prevent malicious code from compromising build servers. The network proxy controls allow restricting outbound connections to only necessary services like package registries or deployment targets. This adds an additional security layer to automated build processes.
Offer a cloud-based security analysis platform where customers can upload suspicious files or code for automated sandbox analysis. The service provides detailed reports on behavior, network activity, and potential threats detected during execution in isolated environments. Revenue comes from subscription tiers based on analysis volume and report detail.
Integrate the sandbox technology into existing developer tools like IDEs, package managers, or CI/CD platforms as a premium security feature. Offer enterprise licenses to development teams needing safe code execution environments for testing third-party dependencies. Revenue comes from enterprise licensing and integration fees.
License the sandbox technology to online coding schools and technical training platforms that need safe student code execution environments. Provide white-labeled solutions with custom network policies and resource limits for different educational tiers. Revenue comes from platform licensing fees based on student volume and feature sets.
💬 Integration Tip
Integrate with existing CI/CD pipelines by adding sandbox execution steps before deploying code to production, ensuring all third-party dependencies are tested in isolation first.
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
Search and analyze your own session logs (older/parent conversations) using jq.
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linking related objects, enforcing constraints, planning multi-step actions as graph transformations, or when skills need to share state. Trigger on "remember", "what do I know about", "link X to Y", "show dependencies", entity CRUD, or cross-skill data access.
Ultimate AI agent memory system for Cursor, Claude, ChatGPT & Copilot. WAL protocol + vector search + git-notes + cloud backup. Never lose context again. Vibe-coding ready.
Headless browser automation CLI optimized for AI agents with accessibility tree snapshots and ref-based element selection