OpenClaw Sandboxing Options: Docker vs VM vs OS Sandbox

If a skill can run shell commands, you should treat it like untrusted code execution.

Sandboxing is how you reduce blast radius when something goes wrong.

Option 1: Docker sandbox (recommended baseline)

Best for most developers:

• fast to set up
• good isolation for filesystem/process/network when configured
• easy to throw away and rebuild

Guide: /guides/sandbox-setup

Option 2: Virtual machine (strong isolation, more overhead)

VMs are the “heavier, safer” option:

• strongest boundary against host compromise
• good for high-risk skills or unknown supply chain
• slower and more resource heavy

Use a VM when:

• you routinely run untrusted skills with shell
• you keep sensitive credentials on the host
• you want a strict separation between work and experimentation

Option 3: OS-level sandbox (varies by platform)

OS sandboxes can help, but they vary widely:

• macOS: app sandboxing, TCC prompts, per-app permissions
• Linux: namespaces, seccomp, AppArmor/SELinux

In practice, Docker is usually simpler and more consistent.

Which one should you choose?

Simple decision:

• Normal dev work: Docker sandbox + least privilege.
• High-risk work: VM + no network by default.
• Teams: standardize one approach so “safe by default” is consistent.

Related controls (don’t skip these)

• Permission hygiene: /guides/permissions-explained
• Skill verification: /verifier
• Credential isolation: /guides/credential-protection