#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/openclaw/setting-up-your-ai-assistant/sandbox-mode

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░███████████████████████████████████████████████████████████████████████████████

#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/openclaw/setting-up-your-ai-assistant/sandbox-mode

Repovive

Sandbox Mode - Setting Up Your AI Assistant | OpenClaw | Repovive

Repovive.

Sandbox Mode

Docker isolation

4 min

Sandbox mode runs the agent's tool executions inside a Docker container. The container has no access to your host filesystem, network interfaces, or other processes. Think of it as a padded room for code execution.

Enable it in your agent config:

{
  "sandbox": true
}

When sandbox mode is on, the agent can only read and write files inside the container's working directory. Network requests are blocked unless you allowlist specific hosts.

When should you use this? Whenever untrusted users interact with your assistant or when the assistant runs code from external sources. The performance overhead is minimal because OpenClaw reuses a warm container pool instead of starting a fresh one per request.