{"id":3442,"date":"2026-02-16T14:13:04","date_gmt":"2026-02-16T14:13:04","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/02\/16\/running-nanoclaw-in-a-docker-shell-sandbox\/"},"modified":"2026-02-16T14:13:04","modified_gmt":"2026-02-16T14:13:04","slug":"running-nanoclaw-in-a-docker-shell-sandbox","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/02\/16\/running-nanoclaw-in-a-docker-shell-sandbox\/","title":{"rendered":"Running NanoClaw in a Docker Shell Sandbox"},"content":{"rendered":"<p>Ever wanted to run a personal AI assistant that monitors your WhatsApp messages 24\/7, but worried about giving it access to your entire system? Docker Sandboxes\u2019 new <code>shell<\/code> sandbox type is the perfect solution. In this post, I\u2019ll show you how to run <a href=\"https:\/\/github.com\/shelajev\/nanoclaw\" rel=\"nofollow noopener\" target=\"_blank\">NanoClaw<\/a>, a lightweight Claude-powered WhatsApp assistant, inside a secure, isolated Docker sandbox.<\/p>\n<h2 class=\"wp-block-heading\">What is the Shell Sandbox?<\/h2>\n<p>Docker Sandboxes provides pre-configured environments for running AI coding agents like Claude Code, Gemini CLI, and others. But what if you want to run a <em>different<\/em> agent or tool that isn\u2019t built-in?<br \/>That\u2019s where the <strong>shell sandbox<\/strong> comes in. It\u2019s a minimal sandbox that drops you into an interactive bash shell inside an isolated microVM. No pre-installed agent, no opinions \u2014 just a clean Ubuntu environment with Node.js, Python, git, and common dev tools. You install whatever you need.<\/p>\n<h2 class=\"wp-block-heading\">Why Run NanoClaw in a Sandbox?<\/h2>\n<p>NanoClaw already runs its agents in containers, so it\u2019s security-conscious by design. But running the <em>entire<\/em> NanoClaw process inside a Docker sandbox adds another layer:<\/p>\n<ol class=\"wp-block-list\">\n<li>Filesystem isolation \u2013 NanoClaw can only see the workspace directory you mount, not your home directory<\/li>\n<li>Credential management \u2013 API keys are injected via Docker\u2019s proxy, never stored inside the sandbox<\/li>\n<li>Clean environment \u2013 No conflicts with your host\u2019s Node.js version or global packages<\/li>\n<li>Disposability \u2013 Nuke it and start fresh anytime with <code>docker sandbox rm<\/code><\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.docker.com\/products\/docker-desktop\/\">Docker Desktop<\/a> installed and running<\/li>\n<li>Docker Sandboxes CLI (<code>docker sandbox<\/code> command available) (v.0.12.0 available in the nightly build as of Feb 13)<\/li>\n<li>An Anthropic API key in an env variable<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Setting It Up<\/h2>\n<h3 class=\"wp-block-heading\">Create the sandbox<\/h3>\n<p>Pick a directory on your host that will be mounted as the workspace inside the sandbox. This is the only part of your filesystem the sandbox can see:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\nmkdir -p ~\/nanoclaw-workspace\ndocker sandbox create --name nanoclaw shell ~\/nanoclaw-workspace\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\">Connect to it<\/h3>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\ndocker sandbox run nanoclaw\n<\/pre>\n<\/div>\n<p>You\u2019re now inside the sandbox \u2013 an Ubuntu shell running in an isolated VM. Everything from here on happens inside the sandbox.<\/p>\n<h3 class=\"wp-block-heading\">Install Claude Code<\/h3>\n<p>The shell sandbox comes with Node.js 20 pre-installed, so we can install Claude Code directly via npm:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\nnpm install -g @anthropic-ai\/claude-code\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\">Configure the API key<\/h3>\n<p>This is the one extra step needed in a shell sandbox. The built-in <code>claude<\/code> sandbox type does this automatically, but since we\u2019re in a plain shell, we need to tell Claude Code to get its API key from Docker\u2019s credential proxy:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\nmkdir -p ~\/.claude &amp;&amp; cat &gt; ~\/.claude\/settings.json &lt;&lt; 'EOF'\n{\n  \"apiKeyHelper\": \"echo proxy-managed\",\n  \"defaultMode\": \"bypassPermissions\",\n  \"bypassPermissionsModeAccepted\": true\n}\nEOF\n<\/pre>\n<\/div>\n<p>What this does: <code>apiKeyHelper<\/code> tells Claude Code to run <code>echo proxy-managed<\/code> to get its API key. The sandbox\u2019s network proxy intercepts outgoing API calls and swaps this sentinel value for your real Anthropic key, so the actual key never exists inside the sandbox.<\/p>\n<h3 class=\"wp-block-heading\">Clone NanoClaw and install dependencies<\/h3>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\ncd ~\/workspace\ngit clone https:\/\/github.com\/\u2020\/nanoclaw.git\ncd nanoclaw\nnpm install\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\">Run Claude and set up NanoClaw<\/h3>\n<p>NanoClaw uses Claude Code for its initial setup \u2013 configuring WhatsApp authentication, the database, and the container runtime:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\nclaude\n<\/pre>\n<\/div>\n<p>Once Claude starts, run <code>\/setup<\/code> and follow the prompts. Claude will walk you through scanning a WhatsApp QR code and configuring everything else.<\/p>\n<h3 class=\"wp-block-heading\">Start NanoClaw<\/h3>\n<p>After setup completes, start the assistant:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\nnpm start\n<\/pre>\n<\/div>\n<p>NanoClaw is now running and listening for WhatsApp messages inside the sandbox.<\/p>\n<h2 class=\"wp-block-heading\">Managing the Sandbox<\/h2>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\n# List all sandboxes\ndocker sandbox ls\n\n# Stop the sandbox (stops NanoClaw too)\ndocker sandbox stop nanoclaw\n\n# Start it again\ndocker sandbox start nanoclaw\n\n# Remove it entirely\ndocker sandbox rm nanoclaw\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\">What Else Could You Run?<\/h2>\n<p>The shell sandbox isn\u2019t specific to NanoClaw. Anything that runs on Linux and talks to AI APIs is a good fit:<\/p>\n<ul class=\"wp-block-list\">\n<li>Custom agents built with the Claude Agent SDK or any other AI agent: Claude code, Codex, Github Copilot, OpenCode, Kiro, and more.\u00a0<\/li>\n<li>AI-powered bots and automation scripts<\/li>\n<li>Experimental tools you don\u2019t want running on your host<\/li>\n<\/ul>\n<p>The pattern is always the same: create a sandbox, install what you need, configure credentials via the proxy, and run it.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\">\ndocker sandbox create --name my-shell shell ~\/my-workspace\ndocker sandbox run my-shell\n<\/pre>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Ever wanted to run a personal AI assistant that monitors your WhatsApp messages 24\/7, but worried about giving it access [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":94,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-3442","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3442"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3442\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}