Secure Sandboxes

Run untrusted agent code safely in a lightweight WASM-based Alpine Linux VM. Node.js native execution with full networking.

Get Started How it works

agentvm -- worker thread node:wasi

OpenClaw Skill

Ready to give your agent full Linux capabilities? Install the official AgentVM skill for OpenClaw.

1. Install Dependencies

Add the package to your OpenClaw root:

npm install deepclause-agentvm

2. Install Skill

Download skill files from GitHub:

GitHub: deepclause/agentvm

# Copy contents to: ~/.openclaw/workspace/skills/agentvm/

3. Restart

Restart your OpenClaw gateway:

openclaw gateway restart

Key Features

True Isolation

Not just a container. A complete Alpine Linux Virtual Machine compiled to WebAssembly. Isolate memory and execution completely.

Full Networking

Includes a TCP/IP stack running inside WASM. Agents can make HTTP requests, run servers, and interact with the web safely via NAT.

Host Mounting

Seamlessly mount host directories into the VM. Read/write files from the host system with controlled permissions.

Lightweight

Runs in a Node.js Worker Thread. Non-blocking execution ensures your main application usage remains smooth.

Universal Agent Runtime

Works with Any Agent

AgentVM is the preferred execution environment for all autonomous agents. Whether you use a framework or raw CLI, we provide the secure sandbox.

The "Pi Agent" logic needs a safe place to run tools, execute code, and browse the web. AgentVM is that place.

Framework Agnostic From OpenClaw to LangGraph, drop AgentVM into your pipeline as the execution node.
CLI Driven Test and run agents directly from the command line. No complex server setup required.

🦞

OpenClaw

Local-first personal assistant.

Connection Method openclaw connect agent:vm # Automatic detection

🤖

AG2

Conversational framework.

Python SDK ag2.register_runtime( type="agentvm" )

🦜

LangGraph

Stateful orchestration.

Graph Node builder.add_node( "executor", AgentVM() )

💻

CLI Mode

Direct execution.

Terminal $ agentvm run ./agent.js # Sandbox active

How It Works

Installation

Install via npm to get the core library and the WASM image.

npm install deepclause-agentvm

Architecture

Input: Node.js calls `vm.exec(cmd)`
Process: Worker Thread -> WASM -> Alpine Linux
Output: Stdout/Stderr captured via shared memory.

Code Example

agent-logic.js

                const { AgentVM } = 'deepclause-agentvm';

                async function main()
                {

                  const vm = new
                AgentVM({

                    network: true, // NAT enabled automatically

                    mounts: { '/mnt/data': './data' }

                  });

                  await vm.start();

                  // Execute safely isolated code

                  const result = await vm.exec('curl https://example.com');

                  console.log(result.stdout);

                  await vm.stop();

                }