Skip to main content

Clawker

Clawker is a free, open-source, self-hosted AI coding agent sandbox. It runs Claude Code (and other AI coding agents) inside isolated Docker containers on your own machine — no cloud, no subscription, your repo stays on your own machine, never uploaded to a vendor sandbox. The rise of agentic AI has been meteoric, but in the rush to ship model harnesses the industry keeps skipping the risks that come with them. Letting an agent run with --dangerously-skip-permissions on your bare-metal machine is fast — until a prompt injection turns it into a data-exfiltration tool with full access to your credentials and network. The harness itself needs a harness. Clawker is that harness. It pairs real network isolation — a deny-by-default egress firewall that blocks outbound traffic except to domains you allow — with git credential forwarding and parallel git-worktree agents, so you get the convenience of local, parallel Claude Code agents and the network security to run them safely. It fills the gap between cloud agent sandboxes (isolated, but your code leaves your machine and you pay for it) and other local agent runners (free, but with no egress control): self-hosted agent infrastructure that is both fully local and security-deep.

Quick Start

Get up and running with Clawker in minutes

Installation

All installation methods: Homebrew, curl, source build

Configuration

Configure projects with .clawker.yaml

CLI Reference

Complete command reference for all CLI commands

What Is an Agent?

In Clawker, an agent is a named container instance running Claude Code. Each agent gets its own isolated environment with its own filesystem, network, and credentials. You can run multiple agents per project (e.g., --agent dev, --agent review) and they operate independently.
clawker run -it --agent dev @     # Start a "dev" agent
clawker run -it --agent review @  # Start a "review" agent in parallel

What Clawker Does

  • Default-on firewall — Blocks outbound traffic except allowlisted domains (Anthropic APIs, package registries). Your agent can’t phone home to unexpected endpoints.
  • Seamless credential forwarding — SSH agent, GPG agent, and Git HTTPS credentials forwarded from your host. No manual key copying.
  • Isolated agent environments — Each Claude Code agent runs in its own Docker container with configurable security controls
  • Bind or snapshot workspaces — Mount your repo for live editing, or copy it for pure isolation
  • Embedded Dockerfile template — Parameterized images with common dev tools preinstalled, supporting Alpine or Debian bases
  • Project-scoped namespacing — Multi-agent, multi-project isolation via Docker labels and naming conventions
  • Git worktree integration — Spin up agents on separate branches with automatic worktree management and hardened unattended-session lockdown. See Worktree Caveats.
  • Command aliases — One-word shortcuts that expand to full invocations (clawker go dev), shareable with your team via project config. See Command Aliases.
  • Monitoring stack — Optional OpenTelemetry Collector + OpenSearch + OpenSearch Dashboards + Prometheus for agent observability
  • Per-decision egress observability — eBPF event stream (allowed / denied / bypassed) flows to OpenSearch alongside Envoy and CoreDNS access logs, so bypass windows leave a full audit trail. See Egress Observability.

How It Works

Clawker sits between your CLI and Docker, adding a security and convenience layer:
You (CLI) -> Clawker -> pkg/whail (label-isolated Docker engine) -> Docker SDK -> Docker
Every container, volume, network, and image created by Clawker is tagged with dev.clawker.* labels. Clawker only sees and manages its own resources — it cannot touch anything outside its label scope.