Sandbox & Isolation
Clawpy runs every agent inside a secure, isolated environment. This ensures that no agent can accidentally (or maliciously) modify your host system, access other agents' data, or exhaust shared resources.
The Three Gates
Isolation in Clawpy operates at three levels:
Gate 1: Workspaces (File System Isolation)
Every agent is born into its own dedicated directory. Its tools — file editor, terminal, code runner — are restricted to this workspace root. An agent in one workspace cannot see or modify files belonging to another agent unless explicitly granted collaboration access.
Gate 2: Divisions (Budget & Resource Isolation)
Agents are organised into divisions (Engineering, Marketing, Operations, etc.). Each division has its own:
- Budget — Maximum LLM API spend
- Worker limit — Maximum concurrent sub-agents
- Hierarchy — Workers report only to their division head
This prevents a runaway process in one division from consuming the budget allocated to another.
Gate 3: SwarmSpaces (Context Isolation)
A SwarmSpace is a complete "world state." Switching between SwarmSpaces (e.g., from "Clawpy HQ" to "Home Lab") swaps out the entire set of active agents, their roles, and their instructions — while preserving the underlying workspace data.
Docker Isolation
For maximum security, Clawpy uses Docker-out-of-Docker (DooD) to run agent code execution in completely isolated containers. This means:
- Agent-generated code runs inside a container, not on your host
- Container crashes do not affect the Clawpy platform
- Network access, file system mounts, and resource limits are all configurable per container
- No agent can install software on your host system
Key Security Properties
- All API keys encrypted at rest with Fernet encryption
- Atomic task checkout prevents double-execution